[sudo-workers] Regex command arguments

Daniele Palumbo daniele at retaggio.net
Sun Mar 17 15:52:49 MDT 2019 

Much appreciated!!

> Il giorno 14 mar 2019, alle ore 19:44, Ed Neville <ed-sudo at s5h.net> ha scritto:
> 
> Hello,
> 
> Below is a patch to add regex matching to command arguments. I've 
> purposefully left it for argument matching as visudo does a good job to 
> inform you if you've not pinned a command with a full path, adding that 
> level of inspection to a regex does not seem trivial.
> 
> There's also a couple of insults that dropped into my head mid compiles.
> 
> Anyway, with luck here is my first contribution to something that I've 
> enjoyed using for the best part of my career!
> 
> 
> diff -r c41ea7cfedf8 doc/sudoers.man.in
> --- a/doc/sudoers.man.in	Fri Mar 08 09:07:20 2019 -0700
> +++ b/doc/sudoers.man.in	Thu Mar 14 18:16:09 2019 +0000
> @@ -5312,6 +5312,18 @@
> (orion, perseus, hercules) without entering a password.
> This is a bit tedious for users to type, so it is a prime candidate
> for encapsulating in a shell script.
> +.nf
> +.sp
> +.RS 0n
> +%containers ALL = /usr/bin/docker \\
> +    m{(run|exec)\\\\s+-it?\\\\s+[^\\\\s]+\\\\s+/bin/bash}
> +.RE
> +.fi
> +.PP
> +Any member of
> +\fRcontainers\fR
> +group may execute docker with run or exec commands, interactively with or without a TTY, providing they use /bin/bash shell. Only non-breaking m{} is understood.
> +
> .SH "SECURITY NOTES"
> .SS "Limitations of the \(oq!\&\(cq operator"
> It is generally not effective to
> diff -r c41ea7cfedf8 plugins/sudoers/ins_classic.h
> --- a/plugins/sudoers/ins_classic.h	Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/ins_classic.h	Thu Mar 14 18:16:09 2019 +0000
> @@ -30,8 +30,12 @@
>     "Where did you learn to type?",
>     "Are you on drugs?",
>     "My pet ferret can type better than you!",
> -    "You type like i drive.",
> +    "You type like I drive.",
>     "Do you think like you type?",
>     "Your mind just hasn't been the same since the electro-shock, has it?",
> +    "And you went to college for that?",
> +    "Ha!",
> +    "You truly are trying the hunt-and-peck method.",
> +    "They're watching you. Every single bad command. Santa will be unhappy.",
> 
> #endif /* SUDOERS_INS_CLASSIC_H */
> diff -r c41ea7cfedf8 plugins/sudoers/ins_csops.h
> --- a/plugins/sudoers/ins_csops.h	Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/ins_csops.h	Thu Mar 14 18:16:09 2019 +0000
> @@ -35,5 +35,6 @@
>     "I've seen penguins that can type better than that.",
>     "Have you considered trying to match wits with a rutabaga?",
>     "You speak an infinite deal of nothing",
> +    "Smart phones make dumb users",
> 
> #endif /* SUDOERS_INS_CSOPS_H */
> diff -r c41ea7cfedf8 plugins/sudoers/match_command.c
> --- a/plugins/sudoers/match_command.c	Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/match_command.c	Thu Mar 14 18:16:09 2019 +0000
> @@ -45,6 +45,7 @@
> #include <dirent.h>
> #include <fcntl.h>
> #include <errno.h>
> +#include <regex.h>
> 
> #include "sudoers.h"
> #include <gram.h>
> @@ -496,6 +497,9 @@
> command_matches(const char *sudoers_cmnd, const char *sudoers_args, const struct command_digest *digest)
> {
>     bool rc = false;
> +    regex_t re;
> +    int status;
> +
>     debug_decl(command_matches, SUDOERS_DEBUG_MATCH)
> 
>     /* Check for pseudo-commands */
> @@ -516,16 +520,47 @@
>     }
> 
>     if (has_meta(sudoers_cmnd)) {
> -	/*
> -	 * If sudoers_cmnd has meta characters in it, we need to
> -	 * use glob(3) and/or fnmatch(3) to do the matching.
> -	 */
> -	if (def_fast_glob)
> -	    rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, digest);
> -	else
> -	    rc = command_matches_glob(sudoers_cmnd, sudoers_args, digest);
> +        /*
> +         * If sudoers_cmnd has meta characters in it, we need to
> +         * use glob(3) and/or fnmatch(3) to do the matching.
> +         */
> +        if (def_fast_glob)
> +            rc = command_matches_fnmatch(sudoers_cmnd, sudoers_args, digest);
> +        else
> +            rc = command_matches_glob(sudoers_cmnd, sudoers_args, digest);
>     } else {
> -	rc = command_matches_normal(sudoers_cmnd, sudoers_args, digest);
> +        rc = command_matches_normal(sudoers_cmnd, sudoers_args, digest);
> +    }
> +
> +    if( rc == false ) {
> +        /*
> +         * only process regex args, regex on the initial command would
> +         * conflict with other checks that visudo parsing performs, m{bash} !=
> +         * /bin/bash, 'bash' itself would cause visudo to complain since
> +         * there is no initial path. removing this seems a bad idea.
> +         */
> +        if( user_args && sudoers_args ) {
> +            char *ptr;
> +            int len = strlen( sudoers_args );
> +            if( len > 2
> +                    && sudoers_args[0] == 'm'
> +                    && sudoers_args[1] == '{'
> +                    && sudoers_args[len-1] == '}' ) {
> +                rc = false;
> +                ptr = strdup( sudoers_args+2 );
> +                if( ptr ) {
> +                    ptr[len-3] = 0;
> +                    if( regcomp( &re, ptr, REG_EXTENDED|REG_NOSUB ) == 0 ) {
> +                        status = regexec( &re, user_args, (size_t)0, NULL, 0 );
> +                        regfree( &re );
> +                        if( status == 0 ) {
> +                            rc = true;
> +                        }
> +                    }
> +                    free( ptr );
> +                }
> +           }
> +        }
>     }
> done:
>     sudo_debug_printf(SUDO_DEBUG_DEBUG|SUDO_DEBUG_LINENO,
> diff -r c41ea7cfedf8 plugins/sudoers/parse.c
> --- a/plugins/sudoers/parse.c	Fri Mar 08 09:07:20 2019 -0700
> +++ b/plugins/sudoers/parse.c	Thu Mar 14 18:16:09 2019 +0000
> @@ -42,7 +42,7 @@
> #include <gram.h>
> 
> /*
> - * Look up the user in the sudoers prase tree for pseudo-commands like
> + * Look up the user in the sudoers parse tree for pseudo-commands like
>  * list, verify and kill.
>  */
> static int
> @@ -176,7 +176,7 @@
> }
> 
> /*
> - * Apply cmndspec-specific settngs including SELinux role/type,
> + * Apply cmndspec-specific settings including SELinux role/type,
>  * Solaris privs, and command tags.
>  */
> static bool
> @@ -268,7 +268,7 @@
> }
> 
> /*
> - * Look up the user in the sudoers prase tree and check to see if they are
> + * Look up the user in the sudoers parse tree and check to see if they are
>  * allowed to run the specified command on this host as the target user.
>  */
> int
> 
> 
> -- 
> Best regards,
> Ed http://www.s5h.net/
> 
> ____________________________________________________________
> sudo-workers mailing list <sudo-workers at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> https://www.sudo.ws/mailman/listinfo/sudo-workers

More information about the sudo-workers mailing list