[sudo-workers] Regex command arguments

Ed Neville ed-sudo at s5h.net
Thu Mar 14 12:44:23 MDT 2019


Hello,

Below is a patch to add regex matching to command arguments. I've 
purposefully left it for argument matching as visudo does a good job to 
inform you if you've not pinned a command with a full path, adding that 
level of inspection to a regex does not seem trivial.

There's also a couple of insults that dropped into my head mid compiles.

Anyway, with luck here is my first contribution to something that I've 
enjoyed using for the best part of my career!


diff -r c41ea7cfedf8 doc/sudoers.man.in
--- a/doc/sudoers.man.in	Fri Mar 08 09:07:20 2019 -0700
+++ b/doc/sudoers.man.in	Thu Mar 14 18:16:09 2019 +0000
@@ -5312,6 +5312,18 @@
 (orion, perseus, hercules) without entering a password.
 This is a bit tedious for users to type, so it is a prime candidate
 for encapsulating in a shell script.
+.nf
+.sp
+.RS 0n
+%containers ALL = /usr/bin/docker \\
+    m{(run|exec)\\\\s+-it?\\\\s+[^\\\\s]+\\\\s+/bin/bash}
+.RE
+.fi
+.PP
+Any member of
+\fRcontainers\fR
+group may execute docker with run or exec commands, interactively with or without a TTY, providing they use /bin/bash shell. Only non-breaking m{} is understood.
+
 .SH "SECURITY NOTES"
 .SS "Limitations of the \(oq!\&\(cq operator"
 It is generally not effective to
diff -r c41ea7cfedf8 plugins/sudoers/ins_classic.h
--- a/plugins/sudoers/ins_classic.h	Fri Mar 08 09:07:20 2019 -0700
+++ b/plugins/sudoers/ins_classic.h	Thu Mar 14 18:16:09 2019 +0000
@@ -30,8 +30,12 @@
     "Where did you learn to type?",
     "Are you on drugs?",
     "My pet ferret can type better than you!",
-    "You type like i drive.",
+    "You type like I drive.",
     "Do you think like you type?",
     "Your mind just hasn't been the same since the electro-shock, has it?",
+    "And you went to college for that?",
+    "Ha!",
+    "You truly are trying the hunt-and-peck method.",
+    "They're watching you. Every single bad command. Santa will be unhappy.",
 
 #endif /* SUDOERS_INS_CLASSIC_H */
diff -r c41ea7cfedf8 plugins/sudoers/ins_csops.h
--- a/plugins/sudoers/ins_csops.h	Fri Mar 08 09:07:20 2019 -0700
+++ b/plugins/sudoers/ins_csops.h	Thu Mar 14 18:16:09 2019 +0000
@@ -35,5 +35,6 @@
     "I've seen penguins that can type better than that.",
     "Have you considered trying to match wits with a rutabaga?",
     "You speak an infinite deal of nothing",
+    "Smart phones make dumb users",
 
 #endif /* SUDOERS_INS_CSOPS_H */
diff -r c41ea7cfedf8 plugins/sudoers/match_command.c
--- a/plugins/sudoers/match_command.c	Fri Mar 08 09:07:20 2019 -0700
+++ b/plugins/sudoers/match_command.c	Thu Mar 14 18:16:09 2019 +0000
@@ -45,6 +45,7 @@
 #include <dirent.h>
 #include <fcntl.h>
 #include <errno.h>
+#include <regex.h>
 
 #include "sudoers.h"
 #include <gram.h>
@@ -496,6 +497,9 @@
 command_matches(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest *digest)
 {
     bool rc = false;
+    regex_t re;
+    int status;
+
     debug_decl(command_matches, SUDOERS_DEBUG_MATCH)
 
     /* Check for pseudo-commands */
@@ -516,16 +520,47 @@
     }
 
     if (has_meta(sudoers_cmnd)) {
-	/*
-	 * If sudoers_cmnd has meta characters in it, we need to
-	 * use glob(3) and/or fnmatch(3) to do the matching.
-	 */
-	if (def_fast_glob)
-	    rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, digest);
-	else
-	    rc = command_matches_glob(sudoers_cmnd, sudoers_args, digest);
+        /*
+         * If sudoers_cmnd has meta characters in it, we need to
+         * use glob(3) and/or fnmatch(3) to do the matching.
+         */
+        if (def_fast_glob)
+            rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, digest);
+        else
+            rc = command_matches_glob(sudoers_cmnd, sudoers_args, digest);
     } else {
-	rc = command_matches_normal(sudoers_cmnd, sudoers_args, digest);
+        rc = command_matches_normal(sudoers_cmnd, sudoers_args, digest);
+    }
+
+    if( rc == false ) {
+        /*
+         * only process regex args, regex on the initial command would
+         * conflict with other checks that visudo parsing performs, m{bash} !=
+         * /bin/bash, 'bash' itself would cause visudo to complain since
+         * there is no initial path. removing this seems a bad idea.
+         */
+        if( user_args && sudoers_args ) {
+            char *ptr;
+            int len = strlen( sudoers_args );
+            if( len > 2
+                    && sudoers_args[0] == 'm'
+                    && sudoers_args[1] == '{'
+                    && sudoers_args[len-1] == '}' ) {
+                rc = false;
+                ptr = strdup( sudoers_args+2 );
+                if( ptr ) {
+                    ptr[len-3] = 0;
+                    if( regcomp( &re, ptr, REG_EXTENDED|REG_NOSUB ) == 0 ) {
+                        status = regexec( &re, user_args, (size_t)0, NULL, 0 );
+                        regfree( &re );
+                        if( status == 0 ) {
+                            rc = true;
+                        }
+                    }
+                    free( ptr );
+                }
+           }
+        }
     }
 done:
     sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
diff -r c41ea7cfedf8 plugins/sudoers/parse.c
--- a/plugins/sudoers/parse.c	Fri Mar 08 09:07:20 2019 -0700
+++ b/plugins/sudoers/parse.c	Thu Mar 14 18:16:09 2019 +0000
@@ -42,7 +42,7 @@
 #include <gram.h>
 
 /*
- * Look up the user in the sudoers prase tree for pseudo-commands like
+ * Look up the user in the sudoers parse tree for pseudo-commands like
  * list, verify and kill.
  */
 static int
@@ -176,7 +176,7 @@
 }
 
 /*
- * Apply cmndspec-specific settngs including SELinux role/type,
+ * Apply cmndspec-specific settings including SELinux role/type,
  * Solaris privs, and command tags.
  */
 static bool
@@ -268,7 +268,7 @@
 }
 
 /*
- * Look up the user in the sudoers prase tree and check to see if they are
+ * Look up the user in the sudoers parse tree and check to see if they are
  * allowed to run the specified command on this host as the target user.
  */
 int


-- 
Best regards,
Ed http://www.s5h.net/



More information about the sudo-workers mailing list