Sudoers REGEX

Snyder, Alexander alex at misteralexander.com
Fri Feb 19 20:31:24 MST 2016 

Simplified regex? I was reading the man page and in bold text, it says the
she wildcards are not regex, because it cannot match more than a single
character, seemingly suggesting that [a-zA-Z0-9]* wouldn't match like regex
does.

//==================//
(From the man page):
Wildcards in command line arguments should be used with care.

Command line arguments are matched as a single, concatenated string. This
mean a wildcard character such as ‘?’ or ‘*’ will match across word
boundaries, which may be unexpected. For example, while a sudoers entry
like:

%operator ALL = /bin/cat /var/log/messages*

will allow command like:

$ sudo cat /var/log/messages.1

It will also allow:

$ sudo cat /var/log/messages /etc/shadow

which is probably not what was intended.

(From man page):
Wildcards
sudo allows shell-style wildcards (aka meta or glob characters) to be used
in host names, path names and command line arguments in thesudoers file.
Wildcard matching is done via theglob(3) and fnmatch(3) functions as
specified by IEEE Std 1003.1 (“POSIX.1”).*Matches any character not in the
specified range.For any character ‘x’, evaluates to ‘x’. This is used to
escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’.

Note that these are not regular expressions.

Unlike a regular expression there is no way to match one or more characters
within a range.
//===========//

My problem:

For the reason noted above, we can't do "*" (/var/log/*) ... but since the
sudoers won't recognize (per the man page) "/var/log/([a-zA-Z0-9\/\-\.]*)"
....... basically allowing infinite subdirectories, but not allowing
spaces, so you can't string commands or stack paths.

So, I think, I'm stuck. How do I cover hundreds of paths multiplied by
hundreds of commands, without dying at the keyboard crafting the request?

As a side note, my company is too big for me to have any direct control
over changing anything. It's a silo system, so everything is a ticket
request to a different team. They are always willing to hear innovative
things ... ugh! Just frustrated ... ranting more than anything, but would
really love to hear what you have to say!

Thanks,
Alex.

Sent from my Samsung Galaxy S6
On Feb 19, 2016 18:11, "Stephen Partington" <cryptworks at gmail.com> wrote:

> I would second ldap...
> On Feb 19, 2016 6:09 PM, "Phil Waclawski" <phil.waclawski at mesacc.edu>
> wrote:
>
>> Well, you can use simplified regex.  [A-z0-9]*  and so on? (at least it
>> works for me)
>>
>> But if you need that much fine grained control over such a large
>> group...maybe time for ldap?
>>
>> Phil W
>>
>> On Fri, Feb 19, 2016 at 5:08 PM, Snyder, Alexander <
>> alex at misteralexander.com> wrote:
>>
>>> Hello!
>>>
>>> I learned today, as I am crafting a request to the Unix Security
>>> Operations team, that you can't use REGEX in a Sudoers file.
>>>
>>> Does anyone know why not?
>>>
>>> I'm not talking why not as in a policy question (
>>> http://www.sudo.ws/man/1.8.15/sudoers.man.html)
>>>
>>> I'm talking why not as in a technical capabilities thing .... wouldn't
>>> be using REGEX in a Sudoers file be great?  Is there any practical reason
>>> that anyone can think of as to why this hasn't been innovated yet?
>>>
>>> If no ... anyone want to get on that bandwagon with me and make
>>> (specify?) "Sudoers 2.0!" ... where in we allow the use of REGEX.
>>>
>>> Since I can't use REGEX, I am relegated to specifying hundreds of lines
>>> of possible use-case scenarios for commands+paths, for use in a 5
>>> environment (+production) system.  I briefly flirted with writing a
>>> script+for-loop to do this work for me, but that would result in a sudoers
>>> file request thousands of lines long .... my manager would shit himself ...
>>> and then be upset that I even submitted a request like that.
>>>
>>> Outside of us forking sudo ... anyone have any comments?
>>>
>>> I know its Friday (fav and forget) ... but if anyone has any suggestions
>>> on a middle ground between REGEX Sudo and a 3,000 line sudoers file ... I'm
>>> all ears!
>>>
>>> --
>>> Thanks,
>>> --:: Alexander J. Snyder ::--
>>> --:: ThisGuyShouldWorkFor.Us <http://thisguyshouldworkfor.us> ::--
>>> --:: "Never trust a computer you can't throw out a window. --Steve
>>> Wozniak" ::--
>>> --
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>>
>>
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.phxlinux.org
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.phxlinux.org/pipermail/plug-discuss/attachments/20160219/b7da4bc0/attachment.html>

More information about the PLUG-discuss mailing list