Re: Sudoers REGEX

Top Page
This message is part of the following thread:
Mthe complete thread tree sorted by date
MSnyder, Alexander at <-
MStephen Partington at ->
Attachments:
Message as email
+ (text/plain)
+ (text/html)
+ (text/plain)
Delete this message
Reply to this message
Author: Phil Waclawski
Date:  
To: Main PLUG discussion list
Subject: Re: Sudoers REGEX
Well, you can use simplified regex. [A-z0-9]* and so on? (at least it
works for me)

But if you need that much fine grained control over such a large
group...maybe time for ldap?

Phil W

On Fri, Feb 19, 2016 at 5:08 PM, Snyder, Alexander <
> wrote:

> Hello!
>
> I learned today, as I am crafting a request to the Unix Security
> Operations team, that you can't use REGEX in a Sudoers file.
>
> Does anyone know why not?
>
> I'm not talking why not as in a policy question (
> http://www.sudo.ws/man/1.8.15/sudoers.man.html)
>
> I'm talking why not as in a technical capabilities thing .... wouldn't be
> using REGEX in a Sudoers file be great? Is there any practical reason that
> anyone can think of as to why this hasn't been innovated yet?
>
> If no ... anyone want to get on that bandwagon with me and make (specify?)
> "Sudoers 2.0!" ... where in we allow the use of REGEX.
>
> Since I can't use REGEX, I am relegated to specifying hundreds of lines of
> possible use-case scenarios for commands+paths, for use in a 5 environment
> (+production) system. I briefly flirted with writing a script+for-loop to
> do this work for me, but that would result in a sudoers file request
> thousands of lines long .... my manager would shit himself ... and then be
> upset that I even submitted a request like that.
>
> Outside of us forking sudo ... anyone have any comments?
>
> I know its Friday (fav and forget) ... but if anyone has any suggestions
> on a middle ground between REGEX Sudo and a 3,000 line sudoers file ... I'm
> all ears!
>
> --
> Thanks,
> --:: Alexander J. Snyder ::--
> --:: ThisGuyShouldWorkFor.Us <http://thisguyshouldworkfor.us> ::--
> --:: "Never trust a computer you can't throw out a window. --Steve
> Wozniak" ::--
> --
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.phxlinux.org/mailman/listinfo/plug-discuss
>
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change your mail settings:
http://lists.phxlinux.org/mailman/listinfo/plug-discuss
This message was posted to the following mailing lists:
Plug Discuss
Mailing List Info | Nearby Messages		<-Sudoers REGEXRe: Sudoers REGEX->
Some Mailing List Archive administrated by UnconfiguredLurker (version 2.3)