Bug#1100572: sudo: fails to parse regular expressions in sudoers file

Sat, 15 Mar 2025 08:15:37 -0700 

On Sat, Mar 15, 2025 at 03:43:00PM +0100, fhomps wrote:

sudo does not seem to parse regular expressions in sudoers files properly.
man sudo states it should be able to do so since 1.9.10.
I have not tested the debian testing version (1.9.16) as I am not comfortable 
replacing an important security binary with a testing version.



You should not install binary packages from testing on stable anyway. 
Good decision.



If it is a bug in sudo, it is not going to be addressed in Debian 12, 
though, and I apologize for that.



I found this while building an instanced systemd service for minecraft servers.
Ideally, I want users of the group "minecraft" to be able to start / stop / 
restart any instance of the service.
One such instance (for example purposes) is named "vanilla".

I tried to put the following in /etc/sudoers.d/minecraft:

%minecraft ALL= NOPASSWD: /bin/systemctl start minecraft@^[a-zA-Z0-9_]+$
(and equivalent for stop and restart)


I have not tried this myself, but the man page says:

|       A  command is a fully qualified file name, which may include shell-style
|       wildcards (see the “Wildcards” section below), or a  regular  expression
|       that  starts  with  ‘^’ and ends with ‘$’ (see the “Regular expressions”
|       section below).

It doesn't say that you can arbitrarily mix string literals and regexps.

Did you try

%minecraft ALL= NOPASSWD: ^/bin/systemctl start minecraft@[a-zA-Z0-9_]+$


I don't know whether the @ or the + need escaping. Try all variants 
please.


There is also language saying

|       Command line arguments can
|       include wildcards or be a regular expression that starts  with  ‘^’  and
|       ends  with ‘$’.  If the command line arguments consist of ‘""’, the com‐
|       mand may only be run with no arguments.

So

%minecraft ALL= NOPASSWD: /bin/systemctl ^start minecraft@[a-zA-Z0-9_]+$


might also work, but this still doesn't give any indication that your 
mixture of a regexp and a string literal works.


Greetings
Marc


--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421























					Reply via email to