[augeas-devel] [Augeas] #53: The "editor" field in sudoers cannot be parsed properly
Augeas
trac at fedorahosted.org
Sat Mar 28 10:49:08 UTC 2009
#53: The "editor" field in sudoers cannot be parsed properly
---------------------+------------------------------------------------------
Reporter: raphink | Owner: lutter
Type: defect | Status: new
Priority: major | Milestone: next
Component: Augeas | Version: 0.4.1
Keywords: |
---------------------+------------------------------------------------------
See ticket #48 for previous discussion on this and proposed
implementations.[[BR]]
The "editor" parameter is a string which contains a colon-separated list
of editors for visudo. The problem is that sto_to_com does not allow
colons because they are used as separators in most lists in sudoers.[[BR]]
Solutions:[[BR]]
* We need either a separate parsing for "editor" which cuts down the list
into params[[BR]]
* or a separate sto_to_com entry which allows colons and is used for all
string parameters
[[BR]]
I've tried to parse the contents of the "editor" parameter
specifically... So, far, I'd call it a failure. This is the code I'm
using
:
{{{
(* "editor" is a special value that we parse as a colon-separated list
Note: Spaces are allowed only _if_ the value is surrounded by quotes
but I have no idea how to do that properly with augeas
Values must begin with a "/"
*)
let parameter_string_editor_sto =
store /\/[^": \t\n\\\\][^":\n\\\\]*[^":
\t\n\\\\]|\/[^":\n\\\\]/
let parameter_string_editor_value = [ label "name"
. parameter_string_editor_sto ]
let parameter_string_editor = [ key "editor" . sep_eq
. del /"?/ "\""
. parameter_string_editor_value
. ( sep_col
. parameter_string_editor_value
)*
. del /"?/ "\"" ]
}}}
The problem is described in the comment. Here is an example of how it
fails :
Let's say I have an already existing "editor" entry in sudoers, which
says
:
{{{
editor = /usr/bin/nano
}}}
which is mapped as
{{{
/files/etc/sudoers/Defaults/editor
/files/etc/sudoers/Defaults/editor/name = "/usr/bin/nano"
}}}
and I want to add a "/usr/bin/pico -A" entry (which is allowed), so I'd
do
:
{{{
set /files/etc/sudoers/Defaults/editor/name[2] "/usr/bin/pico -A"
save
}}}
Augeas is happy with it, and I get :
{{{
editor=/usr/bin/nano : /usr/bin/pico -A
}}}
And there, visudo is not happy at all, because that is only possible if
the values are surrounded by double quotes. So
{{{
editor="/usr/bin/nano : /usr/bin/pico -A"
}}}
is perfectly fine.[[BR]]
This only happens if there is an already existing value for "editor" and
it's not using double quotes, since I've set the lens to put double
quotes
by default if it creates the field.[[BR]]
One could argue that using a sep_col which is not surrounded by spaces by
default would fix the issue, but it only fixes it partly, and doesn't
really correspond to the reality of what sudoers allows.[[BR]]
I don't really have a clue, except to parse the whole field as a blob
like
I did so far. This last option is not perfect at all either, since "\\\n"
separators are allowed within the "editor" values...
--
Ticket URL: <https://fedorahosted.org/augeas/ticket/53>
Augeas <http://augeas.net/>
a configuration API
More information about the augeas-devel
mailing list