[sudo-users] Request for feedback: regular expressions in sudoers

David.HICKS at rbs.com David.HICKS at rbs.com
Wed Dec 12 06:23:45 EST 2012

I'm really looking forward to this feature, its going to solve a *lot* of problems for me.

My vote is for option 2 because :

1. Allowing partial matches doesn't sound like a good thing to me (for a tool of this nature) and it's a little reminiscent of the problem with the current glob/fnmatch approach - too easy to unintentionally leave the pattern open to matching additional arguments.

Forcing the admin to define the whole command line should reduce the chance of this happening, but I guess it would still be possible with ^<regex>.*$ if you really wanted it?

2. Allowing multi-line matches doesn't sound like a great idea either for similar reasons, and I would argue that in those situations it is preferable to require users to write a script instead.

3. Hostname regex's - definitely useful (surely more so than multi-line regex's :) )

Also, I notice in your examples you use [A-Za-z0-9] instead of [:alnum:], are you intending to include support for the POSIX character classes? (figured it might help with locale support etc).

David Hicks

-----Original Message-----
From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Todd C. Miller
Sent: 11 December 2012 18:19
To: sudo-users at sudo.ws
Subject: [sudo-users] Request for feedback: regular expressions in sudoers

I'm planning to include support for regular expression matching of
commands in the next sudo release.  This is something I've wanted
to do for over ten years.  Most likely this would use the pcre
library to support perl-compatible regular expressions.

One of the main stumbling blocks has been the matter of how to
specify the regex in the sudoers file.  There are two options I've
been thinking about, but perhaps you all come up with better ones.

Option 1:

    Precede the regular expression with an 'm' like perl does where
    the character after the 'm' is the quote character that begins
    and ends the expression.  E.g.

	millert ALL=ALL m:^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$:,
	    !/usr/bin/passwd root

    This is flexible but more difficult to parse since we don't
    know what the quote character is until we start parsing.

Option 2:

    Require that regular expressions start with a ^ and end with a $

	millert ALL=ALL ^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$,
	    !/usr/bin/passwd root

    In this case we forgo the quote character entirely and require
    that the expression be anchored with ^ and $.

Advantages of Option 1:

    o similar to perl's 'm' (match) operator.

    o can support partial matches (the ^ and $ are optional).

    o can support multiline matches (where ^ and $ match the end
      of the line, not the end of the expression); doesn't useful
      in practice.

Advantages of Option 2:

    o easier to parse; we know we are looking for a '$' to end the

    o potentially less error prone as all expressions require '^'
      and '$' anchors.

    o could conceivably use regex for hostnames; no ambiguity between
      m... and a hostname that begins with the letter m.


 - todd
sudo-users mailing list <sudo-users at sudo.ws>
For list information, options, or to unsubscribe, visit:

The Royal Bank of Scotland plc. Registered in Scotland No 90312. 
Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB. 
Authorised and regulated by the Financial Services Authority. The 
Royal Bank of Scotland N.V. is authorised and regulated by the 
De Nederlandsche Bank and has its seat at Amsterdam, the 
Netherlands, and is registered in the Commercial Register under 
number 33002587. Registered Office: Gustav Mahlerlaan 350, 
Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and 
The Royal Bank of Scotland plc are authorised to act as agent for each 
other in certain jurisdictions. 
This e-mail message is confidential and for use by the addressee only. 
If the message is received by anyone other than the addressee, please 
return the message to the sender by replying to it and then delete the 
message from your computer. Internet e-mails are not necessarily 
secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland 
N.V. including its affiliates ("RBS group") does not accept responsibility 
for changes made to this message after it was sent. For the protection
of RBS group and its clients and customers, and in compliance with
regulatory requirements, the contents of both incoming and outgoing
e-mail communications, which could include proprietary information and
Non-Public Personal Information, may be read by authorised persons
within RBS group other than the intended recipient(s). 

Whilst all reasonable care has been taken to avoid the transmission of 
viruses, it is the responsibility of the recipient to ensure that the onward 
transmission, opening or use of this message and any attachments will 
not adversely affect its systems or data. No responsibility is accepted 
by the RBS group in this regard and the recipient should carry out such 
virus and other checks as it considers appropriate. 

Visit our website at www.rbs.com 


More information about the sudo-users mailing list