[augeas-devel] Equal sign in commands in sudoers.aug
Raphaël Pinson
raphink at gmail.com
Mon Feb 13 14:38:21 UTC 2012
As it turns out, I found a way. It cost me some stricter typechecking
on commands, but it reduces the typechecking to 1,4GB again. The idea
is to declare sto_to_com_cmnd as:
let sto_to_com_cmnd =
let alias = Rx.word - /(NO)?(PASSWD|EXEC|SETENV)/
in let non_alias = /(!?\/([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#()
\t\n\\])|[^,=:#() \t\n\\]/
in store (alias | non_alias)
Forcing the first character of a command to be "!" or "/" (unless it's
an alias) doesn't seem crazy, and this way the restriction is only
made to Rx.word, which is far less costly.
Raphaël
On Mon, Feb 13, 2012 at 3:21 PM, Raphaël Pinson <raphink at gmail.com> wrote:
> Hello all,
>
> I'm having an issue with sudoers.aug. I found that the lens currently
> doesn't allow "=" in commands, so I added a test for it (which,
> logically, fails):
>
> test Sudoers.spec get "root ALL=(ALL) ALL /usr/bin/mylvmbackup
> --configfile=/etc/mylvbackup_amanda.conf\n" =
> { "spec"
> { "user" = "root" }
> { "host_group"
> { "host" = "ALL" }
> { "command" = "ALL /usr/bin/mylvmbackup
> --configfile=/etc/mylvbackup_amanda.conf"
> { "runas_user" = "ALL" } } } }
>
>
> Allowing "=" in the middle of commands means changing:
>
> let sto_to_com_cmnd = store /([^,=:#()
> \t\n\\]([^=,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\])|[^,=:#() \t\n\\]/
>
> into
>
> let sto_to_com_cmnd = store /([^,=:#()
> \t\n\\]([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\])|[^,=:#() \t\n\\]/
>
>
> That looks easy enough, unfortunately, it leads to an ambiguity, since
> commands could be named for example "SETENV" (using aliases for
> example), and then augeas wouldn't know how to parse this:
>
> :A=SETENV:B=C
>
> which could either be parsed as:
>
> { "host_group"
> { "host" = "A" }
> { "tag" = "SETENV" }
> { "command" = "B=C" } }
>
> or
>
> { "host_group"
> { "host" = "A" }
> { "command" = "SETENV" } }
> { "host_group"
> { "host" = "B" }
> { "command" = "C" } }
>
>
> Obviously, the second solution is wrong, because "SETENV" (and
> /(NO)?(PASSWD|EXEC|SETENV)/ in general) is a reserved word for tags,
> which cannot be used as a command alias.
> Now, fixing this ambiguity is doable by saying:
>
> let sto_to_com_cmnd = store (/([^,=:#()
> \t\n\\]([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\])|[^,=:#() \t\n\\]/
> - /(NO)?(PASSWD|EXEC|SETENV)/)
>
>
> This typechecks fine, *but* it requires no less than 14GB of RAM to
> typecheck, which is unacceptable.
>
> Does anyone have an idea to implement this without falling into a huge
> pit of RAM and CPU usage?
>
>
> Cheers,
>
> Raphaël
More information about the augeas-devel
mailing list