[sudo-workers] Regex command arguments
Daniele Palumbo
daniele at retaggio.net
Sun Mar 17 15:52:49 MDT 2019
Much appreciated!!
> Il giorno 14 mar 2019, alle ore 19:44, Ed Neville <ed-sudo at s5h.net> ha scritto:
>
> Hello,
>
> Below is a patch to add regex matching to command arguments. I've
> purposefully left it for argument matching as visudo does a good job to
> inform you if you've not pinned a command with a full path, adding that
> level of inspection to a regex does not seem trivial.
>
> There's also a couple of insults that dropped into my head mid compiles.
>
> Anyway, with luck here is my first contribution to something that I've
> enjoyed using for the best part of my career!
>
>
> diff -r c41ea7cfedf8 doc/sudoers.man.in
> --- a/doc/sudoers.man.in Fri Mar 08 09:07:20 2019 -0700
> +++ b/doc/sudoers.man.in Thu Mar 14 18:16:09 2019 +0000
> @@ -5312,6 +5312,18 @@
> (orion, perseus, hercules) without entering a password.
> This is a bit tedious for users to type, so it is a prime candidate
> for encapsulating in a shell script.
> +.nf
> +.sp
> +.RS 0n
> +%containers ALL = /usr/bin/docker \\
> + m{(run|exec)\\\\s+-it?\\\\s+[^\\\\s]+\\\\s+/bin/bash}
> +.RE
> +.fi
> +.PP
> +Any member of
> +\fRcontainers\fR
> +group may execute docker with run or exec commands, interactively with or without a TTY, providing they use /bin/bash shell. Only non-breaking m{} is understood.
> +
> .SH "SECURITY NOTES"
> .SS "Limitations of the \(oq!\&\(cq operator"
> It is generally not effective to
> diff -r c41ea7cfedf8 plugins/sudoers/ins_classic.h
> --- a/plugins/sudoers/ins_classic.h Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/ins_classic.h Thu Mar 14 18:16:09 2019 +0000
> @@ -30,8 +30,12 @@
> "Where did you learn to type?",
> "Are you on drugs?",
> "My pet ferret can type better than you!",
> - "You type like i drive.",
> + "You type like I drive.",
> "Do you think like you type?",
> "Your mind just hasn't been the same since the electro-shock, has it?",
> + "And you went to college for that?",
> + "Ha!",
> + "You truly are trying the hunt-and-peck method.",
> + "They're watching you. Every single bad command. Santa will be unhappy.",
>
> #endif /* SUDOERS_INS_CLASSIC_H */
> diff -r c41ea7cfedf8 plugins/sudoers/ins_csops.h
> --- a/plugins/sudoers/ins_csops.h Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/ins_csops.h Thu Mar 14 18:16:09 2019 +0000
> @@ -35,5 +35,6 @@
> "I've seen penguins that can type better than that.",
> "Have you considered trying to match wits with a rutabaga?",
> "You speak an infinite deal of nothing",
> + "Smart phones make dumb users",
>
> #endif /* SUDOERS_INS_CSOPS_H */
> diff -r c41ea7cfedf8 plugins/sudoers/match_command.c
> --- a/plugins/sudoers/match_command.c Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/match_command.c Thu Mar 14 18:16:09 2019 +0000
> @@ -45,6 +45,7 @@
> #include <dirent.h>
> #include <fcntl.h>
> #include <errno.h>
> +#include <regex.h>
>
> #include "sudoers.h"
> #include <gram.h>
> @@ -496,6 +497,9 @@
> command_matches(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest *digest)
> {
> bool rc = false;
> + regex_t re;
> + int status;
> +
> debug_decl(command_matches, SUDOERS_DEBUG_MATCH)
>
> /* Check for pseudo-commands */
> @@ -516,16 +520,47 @@
> }
>
> if (has_meta(sudoers_cmnd)) {
> - /*
> - * If sudoers_cmnd has meta characters in it, we need to
> - * use glob(3) and/or fnmatch(3) to do the matching.
> - */
> - if (def_fast_glob)
> - rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, digest);
> - else
> - rc = command_matches_glob(sudoers_cmnd, sudoers_args, digest);
> + /*
> + * If sudoers_cmnd has meta characters in it, we need to
> + * use glob(3) and/or fnmatch(3) to do the matching.
> + */
> + if (def_fast_glob)
> + rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, digest);
> + else
> + rc = command_matches_glob(sudoers_cmnd, sudoers_args, digest);
> } else {
> - rc = command_matches_normal(sudoers_cmnd, sudoers_args, digest);
> + rc = command_matches_normal(sudoers_cmnd, sudoers_args, digest);
> + }
> +
> + if( rc == false ) {
> + /*
> + * only process regex args, regex on the initial command would
> + * conflict with other checks that visudo parsing performs, m{bash} !=
> + * /bin/bash, 'bash' itself would cause visudo to complain since
> + * there is no initial path. removing this seems a bad idea.
> + */
> + if( user_args && sudoers_args ) {
> + char *ptr;
> + int len = strlen( sudoers_args );
> + if( len > 2
> + && sudoers_args[0] == 'm'
> + && sudoers_args[1] == '{'
> + && sudoers_args[len-1] == '}' ) {
> + rc = false;
> + ptr = strdup( sudoers_args+2 );
> + if( ptr ) {
> + ptr[len-3] = 0;
> + if( regcomp( &re, ptr, REG_EXTENDED|REG_NOSUB ) == 0 ) {
> + status = regexec( &re, user_args, (size_t)0, NULL, 0 );
> + regfree( &re );
> + if( status == 0 ) {
> + rc = true;
> + }
> + }
> + free( ptr );
> + }
> + }
> + }
> }
> done:
> sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
> diff -r c41ea7cfedf8 plugins/sudoers/parse.c
> --- a/plugins/sudoers/parse.c Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/parse.c Thu Mar 14 18:16:09 2019 +0000
> @@ -42,7 +42,7 @@
> #include <gram.h>
>
> /*
> - * Look up the user in the sudoers prase tree for pseudo-commands like
> + * Look up the user in the sudoers parse tree for pseudo-commands like
> * list, verify and kill.
> */
> static int
> @@ -176,7 +176,7 @@
> }
>
> /*
> - * Apply cmndspec-specific settngs including SELinux role/type,
> + * Apply cmndspec-specific settings including SELinux role/type,
> * Solaris privs, and command tags.
> */
> static bool
> @@ -268,7 +268,7 @@
> }
>
> /*
> - * Look up the user in the sudoers prase tree and check to see if they are
> + * Look up the user in the sudoers parse tree and check to see if they are
> * allowed to run the specified command on this host as the target user.
> */
> int
>
>
> --
> Best regards,
> Ed http://www.s5h.net/
>
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-workers
More information about the sudo-workers
mailing list