[sudo-users] Request for feedback: regular expressions in sudoers
Patrick Spinler
spinler.patrick at mayo.edu
Wed Dec 12 10:32:28 EST 2012
Well, I agree that this is dangerous, but I can think of at least one
area where a partial match might be useful. Mind, I'm not sure that
it's worth the risk.
In fact, after thinking about this overnight, I'm not sure the whole
idea is worth the risk, regex's are complex and easy to get wrong (in
fact, I'm pretty sure that my example below is wrong), but, so long as
regex's are coming, I can see wanting to do something like this:
# Find rule that takes any directory, but fully specify out the
# options for the command
/usr/bin/find m@[\~\.\w\/ ]+@ -group KNOWNGROUP -exec chmod g+w {}\;
The problem with the above syntax is, of course, that nothing stops the
user from adding additional options, e.g. invoking the command like:
sudo find / -exec ~/MYEVILHAX.sh -group KNOWNGROUP -exec chmod g+w {}\
Like I said, getting regex's right will be hard.
I'm firmly in the camp you mention below: anything this complicated
should be in a script where you have a bit more control and can do more
sanity checking. Then sudo the script.
-- Pat
On 12/12/2012 05:23 AM, David.HICKS at rbs.com wrote:
>
> I'm really looking forward to this feature, its going to solve a *lot* of problems for me.
>
> My vote is for option 2 because :
>
> 1. Allowing partial matches doesn't sound like a good thing to me (for a tool of this nature) and it's a little reminiscent of the problem with the current glob/fnmatch approach - too easy to unintentionally leave the pattern open to matching additional arguments.
>
> Forcing the admin to define the whole command line should reduce the chance of this happening, but I guess it would still be possible with ^<regex>.*$ if you really wanted it?
>
> 2. Allowing multi-line matches doesn't sound like a great idea either for similar reasons, and I would argue that in those situations it is preferable to require users to write a script instead.
>
> 3. Hostname regex's - definitely useful (surely more so than multi-line regex's :) )
>
> Also, I notice in your examples you use [A-Za-z0-9] instead of [:alnum:], are you intending to include support for the POSIX character classes? (figured it might help with locale support etc).
>
> David Hicks
>
>
> -----Original Message-----
> From: sudo-users-bounces at courtesan.com [mailto:sudo-users-bounces at courtesan.com] On Behalf Of Todd C. Miller
> Sent: 11 December 2012 18:19
> To: sudo-users at sudo.ws
> Subject: [sudo-users] Request for feedback: regular expressions in sudoers
>
> I'm planning to include support for regular expression matching of
> commands in the next sudo release. This is something I've wanted
> to do for over ten years. Most likely this would use the pcre
> library to support perl-compatible regular expressions.
>
> One of the main stumbling blocks has been the matter of how to
> specify the regex in the sudoers file. There are two options I've
> been thinking about, but perhaps you all come up with better ones.
>
> Option 1:
>
> Precede the regular expression with an 'm' like perl does where
> the character after the 'm' is the quote character that begins
> and ends the expression. E.g.
>
> millert ALL=ALL m:^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$:,
> !/usr/bin/passwd root
>
> This is flexible but more difficult to parse since we don't
> know what the quote character is until we start parsing.
>
> Option 2:
>
> Require that regular expressions start with a ^ and end with a $
>
> millert ALL=ALL ^/usr/bin/passwd [A-Za-z][A-Za-z0-9]*$,
> !/usr/bin/passwd root
>
> In this case we forgo the quote character entirely and require
> that the expression be anchored with ^ and $.
>
> Advantages of Option 1:
>
> o similar to perl's 'm' (match) operator.
>
> o can support partial matches (the ^ and $ are optional).
>
> o can support multiline matches (where ^ and $ match the end
> of the line, not the end of the expression); doesn't useful
> in practice.
>
> Advantages of Option 2:
>
> o easier to parse; we know we are looking for a '$' to end the
> regex.
>
> o potentially less error prone as all expressions require '^'
> and '$' anchors.
>
> o could conceivably use regex for hostnames; no ambiguity between
> m... and a hostname that begins with the letter m.
>
> Thoughts?
>
> - todd
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
> ***********************************************************************************
> The Royal Bank of Scotland plc. Registered in Scotland No 90312.
> Registered Office: 36 St Andrew Square, Edinburgh EH2 2YB.
> Authorised and regulated by the Financial Services Authority. The
> Royal Bank of Scotland N.V. is authorised and regulated by the
> De Nederlandsche Bank and has its seat at Amsterdam, the
> Netherlands, and is registered in the Commercial Register under
> number 33002587. Registered Office: Gustav Mahlerlaan 350,
> Amsterdam, The Netherlands. The Royal Bank of Scotland N.V. and
> The Royal Bank of Scotland plc are authorised to act as agent for each
> other in certain jurisdictions.
>
> This e-mail message is confidential and for use by the addressee only.
> If the message is received by anyone other than the addressee, please
> return the message to the sender by replying to it and then delete the
> message from your computer. Internet e-mails are not necessarily
> secure. The Royal Bank of Scotland plc and The Royal Bank of Scotland
> N.V. including its affiliates ("RBS group") does not accept responsibility
> for changes made to this message after it was sent. For the protection
> of RBS group and its clients and customers, and in compliance with
> regulatory requirements, the contents of both incoming and outgoing
> e-mail communications, which could include proprietary information and
> Non-Public Personal Information, may be read by authorised persons
> within RBS group other than the intended recipient(s).
>
> Whilst all reasonable care has been taken to avoid the transmission of
> viruses, it is the responsibility of the recipient to ensure that the onward
> transmission, opening or use of this message and any attachments will
> not adversely affect its systems or data. No responsibility is accepted
> by the RBS group in this regard and the recipient should carry out such
> virus and other checks as it considers appropriate.
>
> Visit our website at www.rbs.com
>
> ***********************************************************************************
>
>
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users
>
More information about the sudo-users
mailing list