On 05/05/2015 03:37 AM, Megan . wrote:
Good Evening!

I'm running 3.0.0-42 on Centos 6.6.

I setup a number of sudo commands today with regular expressions and
now users seem to be having issues running any sudo command.  Are
there any known issues with having regex in sudo commands within the
IPA server?

Here is an example of a sudo rule I have setup.  When my user runs
sudo -ll he only sees the below command, and he should have a large
number of commands available (like /sbin/service httpd restart)

SSSD Role: deploy for UAT
     RunAsUsers: appusr
/usr/bin/python /usr/share/appusr/onworld-tools/scripts/configure.py
-l [a-zA-Z0-9\-_/]* -e EPSG[0-9][0-9][0-9][0-9] -t [a-z]*
/usr/share/appusr/apache-ant-1.9.4/bin/ant -f
deploy-[a-zA-Z0-9\-]  -Denv=uat
As far as I know, sudo does not support regular expressions in sudo rules. It supports wildcards however, but that's not the same thing, even though syntax is similiar. The matching is done using the glob(3) and fnmatch(3) functions. See man sudoers, section wildcards.

Also, I don't think the sudo -ll expands the sudo commands with wildcards. I just tried it with simple '/sbin/m*', and I see

Sudoers entry:
    RunAsUsers: root

Things work as expected, with me being able to execute executables in sbin starting with the letter m.

I also purged /var/lib/sss/db and restated sssd thinking it might be
related to caching but it didn't help.

Thanks in advance!



Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to