Simplified regex? I was reading the man page and in bold text, it says the she wildcards are not regex, because it cannot match more than a single character, seemingly suggesting that [a-zA-Z0-9]* wouldn't match like regex does. //==================// (From the man page): Wildcards in command line arguments should be used with care. Command line arguments are matched as a single, concatenated string. This mean a wildcard character such as ‘?’ or ‘*’ will match across word boundaries, which may be unexpected. For example, while a sudoers entry like: %operator ALL = /bin/cat /var/log/messages* will allow command like: $ sudo cat /var/log/messages.1 It will also allow: $ sudo cat /var/log/messages /etc/shadow which is probably not what was intended. (From man page): Wildcards sudo allows shell-style wildcards (aka meta or glob characters) to be used in host names, path names and command line arguments in thesudoers file. Wildcard matching is done via theglob(3) and fnmatch(3) functions as specified by IEEE Std 1003.1 (“POSIX.1”).*Matches any character not in the specified range.For any character ‘x’, evaluates to ‘x’. This is used to escape special characters such as: ‘*’, ‘?’, ‘[’, and ‘]’. Note that these are not regular expressions. Unlike a regular expression there is no way to match one or more characters within a range. //===========// My problem: For the reason noted above, we can't do "*" (/var/log/*) ... but since the sudoers won't recognize (per the man page) "/var/log/([a-zA-Z0-9\/\-\.]*)" ....... basically allowing infinite subdirectories, but not allowing spaces, so you can't string commands or stack paths. So, I think, I'm stuck. How do I cover hundreds of paths multiplied by hundreds of commands, without dying at the keyboard crafting the request? As a side note, my company is too big for me to have any direct control over changing anything. It's a silo system, so everything is a ticket request to a different team. They are always willing to hear innovative things ... ugh! Just frustrated ... ranting more than anything, but would really love to hear what you have to say! Thanks, Alex. Sent from my Samsung Galaxy S6 On Feb 19, 2016 18:11, "Stephen Partington" wrote: > I would second ldap... > On Feb 19, 2016 6:09 PM, "Phil Waclawski" > wrote: > >> Well, you can use simplified regex. [A-z0-9]* and so on? (at least it >> works for me) >> >> But if you need that much fine grained control over such a large >> group...maybe time for ldap? >> >> Phil W >> >> On Fri, Feb 19, 2016 at 5:08 PM, Snyder, Alexander < >> alex@misteralexander.com> wrote: >> >>> Hello! >>> >>> I learned today, as I am crafting a request to the Unix Security >>> Operations team, that you can't use REGEX in a Sudoers file. >>> >>> Does anyone know why not? >>> >>> I'm not talking why not as in a policy question ( >>> http://www.sudo.ws/man/1.8.15/sudoers.man.html) >>> >>> I'm talking why not as in a technical capabilities thing .... wouldn't >>> be using REGEX in a Sudoers file be great? Is there any practical reason >>> that anyone can think of as to why this hasn't been innovated yet? >>> >>> If no ... anyone want to get on that bandwagon with me and make >>> (specify?) "Sudoers 2.0!" ... where in we allow the use of REGEX. >>> >>> Since I can't use REGEX, I am relegated to specifying hundreds of lines >>> of possible use-case scenarios for commands+paths, for use in a 5 >>> environment (+production) system. I briefly flirted with writing a >>> script+for-loop to do this work for me, but that would result in a sudoers >>> file request thousands of lines long .... my manager would shit himself ... >>> and then be upset that I even submitted a request like that. >>> >>> Outside of us forking sudo ... anyone have any comments? >>> >>> I know its Friday (fav and forget) ... but if anyone has any suggestions >>> on a middle ground between REGEX Sudo and a 3,000 line sudoers file ... I'm >>> all ears! >>> >>> -- >>> Thanks, >>> --:: Alexander J. Snyder ::-- >>> --:: ThisGuyShouldWorkFor.Us ::-- >>> --:: "Never trust a computer you can't throw out a window. --Steve >>> Wozniak" ::-- >>> -- >>> >>> --------------------------------------------------- >>> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >>> To subscribe, unsubscribe, or to change your mail settings: >>> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >>> >> >> >> --------------------------------------------------- >> PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org >> To subscribe, unsubscribe, or to change your mail settings: >> http://lists.phxlinux.org/mailman/listinfo/plug-discuss >> > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.phxlinux.org > To subscribe, unsubscribe, or to change your mail settings: > http://lists.phxlinux.org/mailman/listinfo/plug-discuss >