sudoers and regular expressions
This line is in sudoers:
joeuser ALL = (root) NOPASSWD: /some/script.sh "As-is" it does what I want. But I want to set some limitations. Namely: $1 must be "THISVAR" or "THATVAR" $2 must be at least 5 lowercase characters $3 must be 12 characters long (it will be a strong password) $4 must be 5 chars and can be ucase, lcase, spaces, and periods. From scouring google all morning it seems that this would work: joeuser ALL = (root) NOPASSWD: /some/script.sh (THISVAR|THATVAR) [a-z]{5,} [.]{12} [a-Z 0-9.]{5,} But I haven't been able to even get this to work: joeuser ALL = (root) NOPASSWD: /some/script.sh (THISVAR|THATVAR) Running "sudo -u joeuser /some/script.sh THISVAR" yields "Sorry, user joeuser is not allowed to execute..." What am I doing wrong? (As always, I am grateful for any help you guys provide!) |
From the sudoers man page:
Code:
Wildcards You can accomplish the "or" function by using two separate entries. I think you can accomplish most of the rest with wildcards. With the exception noted below, I think this will come close to what you want (I have not tried it): Code:
joeuser ALL = (root) NOPASSWD: /some/script.sh THISVAR \ What might be easier, and be able to meet your exact requirements would be to write a wrapper script that enforced the variable requirements (where you could use grep and *real* regular expressions) and then allow the wrapper script in /etc/sudoers. EDIT: You indicated one of those parameters was a password. Please remember that passwords as part of a command are considered a security risk since anybody on the system can see it while the command is running. |
Thank you for your help with that. I was considering doing the flag filtering in the actual script but thought that it might be more secure to nip it in the bud at the sudo source. I'll post my results here when I'm done.
This is actually a piece of a MySQL/PHP site that manages and creates SFTP accounts on a remote machine. |
Here's the script that the PHP site executes when the user submits info for a new account:
Quote:
|
Quote:
|
All times are GMT -5. The time now is 05:57 PM. |