Bug#1100572: sudo: fails to parse regular expressions in sudoers file

Sat, 15 Mar 2025 07:45:13 -0700 

Package: sudo
Version: 1.9.13p3-1+deb12u1
Severity: normal
X-Debbugs-Cc: franc...@homps.fr

Dear Maintainer,

sudo does not seem to parse regular expressions in sudoers files properly.
man sudo states it should be able to do so since 1.9.10.
I have not tested the debian testing version (1.9.16) as I am not comfortable 
replacing an important security binary with a testing version.

I found this while building an instanced systemd service for minecraft servers.
Ideally, I want users of the group "minecraft" to be able to start / stop / 
restart any instance of the service.
One such instance (for example purposes) is named "vanilla".

I tried to put the following in /etc/sudoers.d/minecraft:

%minecraft ALL= NOPASSWD: /bin/systemctl start minecraft@^[a-zA-Z0-9_]+$
(and equivalent for stop and restart)

visudo finds no errors but the line is not taken into account.
simpler variants of the regex such as minecraft@^vanilla$ or 
^minecraft@vanilla$ do not work either.

Manually typing the instance names with no regex works:

%minecraft ALL= NOPASSWD: /bin/systemctl start minecraft@vanilla

Sudoers wildcards also work:

%minecraft ALL= NOPASSWD: /bin/systemctl start minecraft@*

but are not acceptable in this situation, since * matches whitespace, allowing 
commands such as

sudo systemctl stop minecraft@vanilla critical_service

Best,
François

-- System Information:
Debian Release: 12.10
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.1.0-31-amd64 (SMP w/16 CPU threads; PREEMPT)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), 
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages sudo depends on:
ii  init-system-helpers  1.65.2
ii  libaudit1            1:3.0.9-1
ii  libc6                2.36-9+deb12u10
ii  libpam-modules       1.5.2-6+deb12u1
ii  libpam0g             1.5.2-6+deb12u1
ii  libselinux1          3.4-1+b6
ii  zlib1g               1:1.2.13.dfsg-1

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/sudoers changed:
Defaults        env_reset
Defaults        mail_badpass
Defaults        
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
Defaults        use_pty
root    ALL=(ALL:ALL) ALL
%sudo   ALL=(ALL:ALL) ALL
@includedir /etc/sudoers.d


-- no debconf information

Reply via email to