[Freeipa-users] regex with sudo commands
Tomas Babej
tbabej at redhat.com
Tue May 5 08:49:28 UTC 2015
Hello!
On 05/05/2015 03:37 AM, Megan . wrote:
> Good Evening!
>
> I'm running 3.0.0-42 on Centos 6.6.
>
> I setup a number of sudo commands today with regular expressions and
> now users seem to be having issues running any sudo command. Are
> there any known issues with having regex in sudo commands within the
> IPA server?
>
> Here is an example of a sudo rule I have setup. When my user runs
> sudo -ll he only sees the below command, and he should have a large
> number of commands available (like /sbin/service httpd restart)
>
> SSSD Role: deploy for UAT
> RunAsUsers: appusr
> Commands:
> /usr/bin/python /usr/share/appusr/onworld-tools/scripts/configure.py
> -l [a-zA-Z0-9\-_/]* -e EPSG[0-9][0-9][0-9][0-9] -t [a-z]*
> /usr/share/appusr/apache-ant-1.9.4/bin/ant -f
> /usr/share/appusr/onworld-tools/scripts/config_deploy.xml
> deploy-[a-zA-Z0-9\-] -Denv=uat
As far as I know, sudo does not support regular expressions in sudo
rules. It supports wildcards however, but that's not the same thing,
even though syntax is similiar. The matching is done using the glob(3)
and fnmatch(3) functions. See man sudoers, section wildcards.
Also, I don't think the sudo -ll expands the sudo commands with
wildcards. I just tried it with simple '/sbin/m*', and I see
Sudoers entry:
RunAsUsers: root
Commands:
/sbin/m*
Things work as expected, with me being able to execute executables in
sbin starting with the letter m.
>
>
> I also purged /var/lib/sss/db and restated sssd thinking it might be
> related to caching but it didn't help.
>
> Thanks in advance!
>
HTH,
Tomas
More information about the Freeipa-users
mailing list