LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 07-28-2009, 01:21 PM   #1
starmonche
Member
 
Registered: Jan 2007
Location: Overland Park
Distribution: Centos6
Posts: 60

Rep: Reputation: 15
sudoers and regular expressions


This line is in sudoers:
joeuser ALL = (root) NOPASSWD: /some/script.sh

"As-is" it does what I want. But I want to set some limitations. Namely:
$1 must be "THISVAR" or "THATVAR"
$2 must be at least 5 lowercase characters
$3 must be 12 characters long (it will be a strong password)
$4 must be 5 chars and can be ucase, lcase, spaces, and periods.

From scouring google all morning it seems that this would work:
joeuser ALL = (root) NOPASSWD: /some/script.sh (THISVAR|THATVAR) [a-z]{5,} [.]{12} [a-Z 0-9.]{5,}

But I haven't been able to even get this to work:
joeuser ALL = (root) NOPASSWD: /some/script.sh (THISVAR|THATVAR)

Running "sudo -u joeuser /some/script.sh THISVAR" yields "Sorry, user joeuser is not allowed to execute..."

What am I doing wrong? (As always, I am grateful for any help you guys provide!)
 
Old 07-28-2009, 05:30 PM   #2
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
From the sudoers man page:

Code:
       Wildcards

       sudo allows shell-style wildcards (aka meta or glob characters) to be
       used in pathnames as well as command line arguments in the sudoers
       file.  Wildcard matching is done via the POSIX fnmatch(3) routine.
       Note that these are not regular expressions.

       *       Matches any set of zero or more characters.

       ?       Matches any single character.

       [...]   Matches any character in the specified range.

       [!...]  Matches any character not in the specified range.

       \x      For any character "x", evaluates to "x".  This is used to
               escape special characters such as: "*", "?", "[", and "}".

       Note that a forward slash (’/’) will not be matched by wildcards used
       in the pathname.  When matching the command line arguments, however, a
       slash does get matched by wildcards.

(emphasis added)
So no, I don't believe you can use regular expressions in /etc/sudoers.

You can accomplish the "or" function by using two separate entries. I think you can accomplish most of the rest with wildcards. With the exception noted below, I think this will come close to what you want (I have not tried it):

Code:
joeuser ALL = (root) NOPASSWD: /some/script.sh THISVAR \
   [  a-z][a-z][a-z][a-z][a-z][a-z]* ???????????? \
   [a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .]
joeuser ALL = (root) NOPASSWD: /some/script.sh THATVAR \
   [  a-z][a-z][a-z][a-z][a-z][a-z]* ???????????? \
   [a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .][a-zA-Z .]
I took $3 to be exactly 12 characters long. If you meant at least, then you can add an asterisk after the question marks. Where this fails, if I understood your requirements correctly, is $2 allows any character after the first five. I don't know how to fix that. $4 has that same problem if you meant at least instead of exactly.

What might be easier, and be able to meet your exact requirements would be to write a wrapper script that enforced the variable requirements (where you could use grep and *real* regular expressions) and then allow the wrapper script in /etc/sudoers.

EDIT: You indicated one of those parameters was a password. Please remember that passwords as part of a command are considered a security risk since anybody on the system can see it while the command is running.

Last edited by blackhole54; 07-28-2009 at 08:04 PM.
 
Old 07-29-2009, 08:35 AM   #3
starmonche
Member
 
Registered: Jan 2007
Location: Overland Park
Distribution: Centos6
Posts: 60

Original Poster
Rep: Reputation: 15
Thank you for your help with that. I was considering doing the flag filtering in the actual script but thought that it might be more secure to nip it in the bud at the sudo source. I'll post my results here when I'm done.

This is actually a piece of a MySQL/PHP site that manages and creates SFTP accounts on a remote machine.
 
Old 07-30-2009, 08:09 AM   #4
starmonche
Member
 
Registered: Jan 2007
Location: Overland Park
Distribution: Centos6
Posts: 60

Original Poster
Rep: Reputation: 15
Here's the script that the PHP site executes when the user submits info for a new account:

Quote:
if ! [[ "$1" =~ (^THISVAR$|^THATVAR$) ]]; then
errors="folder "
fi

if ! [[ "$2" =~ (^[a-z]{5,}$) ]]; then
errors=$errors"username "
fi

if ! [[ "$3" =~ (^............$) ]]; then
errors=$errors"password "
fi

if ! [[ "$4" =~ (^[a-Z0-9\ \.]{7,}[a-Z0-9\.]$) ]]; then
errors=$errors"description "
fi

if [ "$errors" = "" ]; then
echo "pass"
else
echo $errors" FAILED"
fi
Thanks, blackhole54!
 
Old 08-02-2009, 04:39 PM   #5
blackhole54
Senior Member
 
Registered: Mar 2006
Posts: 1,896

Rep: Reputation: 61
Quote:
Originally Posted by starmonche View Post
Thanks, blackhole54!
Thank *you*. I was out of date on bash. While I was familiar with [[ ]] I was unaware of using =~ with it. That definitely simplifies tasks like this!
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
help with regular expressions mariogarcia Linux - Software 3 01-28-2009 03:23 AM
Regular expressions bhuwan Programming 5 02-25-2006 11:07 PM
Regular Expressions overbored Linux - Software 3 06-24-2004 02:34 PM
help with REGULAR EXPRESSIONS ner Linux - General 23 10-31-2003 11:09 PM
regular expressions? alaios Linux - General 2 06-11-2003 03:51 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 09:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration