[sudo-users] Extended globs

Tue Mar 22 12:09:09 MDT 2022

Hi,

Thought I’d ask here after looking into why some global don’t work in sudo when configured from FreeIPA, and as a result found out that what I’ve been trying to do doesn’t work in sudoers either.

I'm trying to manage sudo rights for teams and the sudo ruleset is getting out of hand as no globs I've tried are working (safely) except for maybe an '*' in a pathname. I'm trying to keep things secure, I'd like to allow members of a certain group to manage the services they're responsible for. These are dev guys so there's a fair bit of service management involved.

Initially, I would create a rule for systemctl start, another for stop, etc for status, reload and restart. Then I have to add the journalctl rules for seeing the current logs and the tail options for those.

In trying to make thing easier when adding rules, and knowing glob should be supported I was hoping to simplify things to:

/usr/bin/journalctl --unit nodejs at +([a-zA-Z]) @(-t)
/usr/bin/systemctl (start|stop|status|reload|restart) nodejs at +([a-zA-Z])

But alas, none of this is working, because the supported glob only matches characters and not strings. Is there a version of sudo that does support extended globs like ?(bla) +(bla) *(bla) @(bla)?

I’ve seen the advice to write custom scripts for people to manage services with. However this is host style customisation that I’d like to avoid, it would be mired by the same thing I’m trying to avoid, namely lots of manual editing. I might as well deploy a CI/CD system to centrally write sudoers files or use Ansible to manage the bulging FreeIPA rules. Both would be an ugly fix for what to me appears a simple next step given simple glob is already supported.

Regards,
Djerk Geurts