Hi Marc,
Thanks for the lightning fast reply.
> Did you try
>
> %minecraft ALL= NOPASSWD: ^/bin/systemctl start minecraft@[a-zA-Z0-9_]+$
This does not work, but...
> %minecraft ALL= NOPASSWD: /bin/systemctl ^start minecraft@[a-zA-Z0-9_]+$
...this does. Thus, problem solved for my use case. Thanks a lot!
Digging deeper, if I understand the EBNF notation in the manpage properly:
command name ::= regex |
file name
command ::= command name |
command name args |
command name regex |
command name '""' |
ALL
then "command name" should be able to be a regex too.
Since in your first suggestion command name and args are part of the same
regex, I tried splitting them:
%minecraft ALL= NOPASSWD: ^/bin/systemctl$ ^start minecraft@[a-zA-Z0-9_]+$
However, this still does not work.
Just in case, I also tried forfeiting the second regex, which did not help:
%minecraft ALL= NOPASSWD: ^/bin/systemctl$ start minecraft@vanilla
Thus I'd argue there is still a bug.
Best,
François
On Saturday, March 15th, 2025 at 4:12 PM, Marc Haber
<mh+debian-packa...@zugschlus.de> wrote:
>
>
> On Sat, Mar 15, 2025 at 03:43:00PM +0100, fhomps wrote:
>
> > sudo does not seem to parse regular expressions in sudoers files properly.
> > man sudo states it should be able to do so since 1.9.10.
> > I have not tested the debian testing version (1.9.16) as I am not
> > comfortable replacing an important security binary with a testing version.
>
>
> You should not install binary packages from testing on stable anyway.
> Good decision.
>
> If it is a bug in sudo, it is not going to be addressed in Debian 12,
> though, and I apologize for that.
>
> > I found this while building an instanced systemd service for minecraft
> > servers.
> > Ideally, I want users of the group "minecraft" to be able to start / stop /
> > restart any instance of the service.
> > One such instance (for example purposes) is named "vanilla".
> >
> > I tried to put the following in /etc/sudoers.d/minecraft:
> >
> > %minecraft ALL= NOPASSWD: /bin/systemctl start minecraft@^[a-zA-Z0-9_]+$
> > (and equivalent for stop and restart)
>
>
> I have not tried this myself, but the man page says:
>
> | A command is a fully qualified file name, which may include shell-style
> | wildcards (see the “Wildcards” section below), or a regular expression
> | that starts with ‘^’ and ends with ‘$’ (see the “Regular expressions”
> | section below).
>
> It doesn't say that you can arbitrarily mix string literals and regexps.
>
> Did you try
>
> %minecraft ALL= NOPASSWD: ^/bin/systemctl start minecraft@[a-zA-Z0-9_]+$
>
> I don't know whether the @ or the + need escaping. Try all variants
> please.
>
> There is also language saying
>
> | Command line arguments can
> | include wildcards or be a regular expression that starts with ‘^’ and
> | ends with ‘$’. If the command line arguments consist of ‘""’, the com‐
> | mand may only be run with no arguments.
>
> So
>
> %minecraft ALL= NOPASSWD: /bin/systemctl ^start minecraft@[a-zA-Z0-9_]+$
>
> might also work, but this still doesn't give any indication that your
> mixture of a regexp and a string literal works.
>
> Greetings
> Marc
>
>
> --
> -----------------------------------------------------------------------------
> Marc Haber | "I don't trust Computers. They | Mailadresse im Header
> Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
> Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
