LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - General (https://www.linuxquestions.org/questions/linux-general-1/)
-   -   sudoers and regular expressions (https://www.linuxquestions.org/questions/linux-general-1/sudoers-and-regular-expressions-743463/)

starmonche 07-28-2009 01:21 PM
sudoers and regular expressions
 
This line is in sudoers:
joeuser ALL = (root) NOPASSWD: /some/script.sh

"As-is" it does what I want. But I want to set some limitations. Namely:
$1 must be "THISVAR" or "THATVAR"
$2 must be at least 5 lowercase characters
$3 must be 12 characters long (it will be a strong password)
$4 must be 5 chars and can be ucase, lcase, spaces, and periods.

From scouring google all morning it seems that this would work:
joeuser ALL = (root) NOPASSWD: /some/script.sh (THISVAR|THATVAR) [a-z]{5,} [.]{12} [a-Z 0-9.]{5,}

But I haven't been able to even get this to work:
joeuser ALL = (root) NOPASSWD: /some/script.sh (THISVAR|THATVAR)

Running "sudo -u joeuser /some/script.sh THISVAR" yields "Sorry, user joeuser is not allowed to execute..."

What am I doing wrong? (As always, I am grateful for any help you guys provide!)

blackhole54 07-28-2009 05:30 PM
From the sudoers man page:

Code:
      Wildcards

      sudo allows shell-style wildcards (aka meta or glob characters) to be
      used in pathnames as well as command line arguments in the sudoers
      file.  Wildcard matching is done via the POSIX fnmatch(3) routine.
      Note that these are not regular expressions.

      *      Matches any set of zero or more characters.

      ?      Matches any single character.

      [...]  Matches any character in the specified range.

      [!...]  Matches any character not in the specified range.

      \x      For any character "x", evaluates to "x".  This is used to
              escape special characters such as: "*", "?", "[", and "}".

      Note that a forward slash (’/’) will not be matched by wildcards used
      in the pathname.  When matching the command line arguments, however, a
      slash does get matched by wildcards.

(emphasis added)
So no, I don't believe you can use regular expressions in /etc/sudoers.

You can accomplish the "or" function by using two separate entries. I think you can accomplish most of the rest with wildcards. With the exception noted below, I think this will come close to what you want (I have not tried it):

Code:
joeuser ALL = (root) NOPASSWD: /some/script.sh THISVAR \
  [  a-z][a-z][a-z][a-z][a-z][a-z]* ???????????? \
  [a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .]
joeuser ALL = (root) NOPASSWD: /some/script.sh THATVAR \
  [  a-z][a-z][a-z][a-z][a-z][a-z]* ???????????? \
  [a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .]
I took $3 to be exactly 12 characters long. If you meant at least, then you can add an asterisk after the question marks. Where this fails, if I understood your requirements correctly, is $2 allows any character after the first five. I don't know how to fix that. $4 has that same problem if you meant at least instead of exactly.

What might be easier, and be able to meet your exact requirements would be to write a wrapper script that enforced the variable requirements (where you could use grep and *real* regular expressions) and then allow the wrapper script in /etc/sudoers.

EDIT: You indicated one of those parameters was a password. Please remember that passwords as part of a command are considered a security risk since anybody on the system can see it while the command is running.

starmonche 07-29-2009 08:35 AM
Thank you for your help with that. I was considering doing the flag filtering in the actual script but thought that it might be more secure to nip it in the bud at the sudo source. I'll post my results here when I'm done.

This is actually a piece of a MySQL/PHP site that manages and creates SFTP accounts on a remote machine.

starmonche 07-30-2009 08:09 AM
Here's the script that the PHP site executes when the user submits info for a new account:

Quote:
if ! [[ "$1" =~ (^THISVAR$|^THATVAR$) ]]; then
errors="folder "
fi

if ! [[ "$2" =~ (^[a-z]{5,}$) ]]; then
errors=$errors"username "
fi

if ! [[ "$3" =~ (^............$) ]]; then
errors=$errors"password "
fi

if ! [[ "$4" =~ (^[a-Z0-9\ \.]{7,}[a-Z0-9\.]$) ]]; then
errors=$errors"description "
fi

if [ "$errors" = "" ]; then
echo "pass"
else
echo $errors" FAILED"
fi
Thanks, blackhole54!

blackhole54 08-02-2009 04:39 PM
Quote:
Originally Posted by starmonche (Post 3625444)
Thanks, blackhole54!
Thank *you*. I was out of date on bash. While I was familiar with [[ ]] I was unaware of using =~ with it. That definitely simplifies tasks like this!


All times are GMT -5. The time now is 05:57 PM.