Hello!
On 05/05/2015 03:37 AM, Megan . wrote:
Good Evening!
I'm running 3.0.0-42 on Centos 6.6.
I setup a number of sudo commands today with regular expressions and
now users seem to be having issues running any sudo command. Are
there any known issues with having regex in sudo commands within the
IPA server?
Here is an example of a sudo rule I have setup. When my user runs
sudo -ll he only sees the below command, and he should have a large
number of commands available (like /sbin/service httpd restart)
SSSD Role: deploy for UAT
RunAsUsers: appusr
Commands:
/usr/bin/python /usr/share/appusr/onworld-tools/scripts/configure.py
-l [a-zA-Z0-9\-_/]* -e EPSG[0-9][0-9][0-9][0-9] -t [a-z]*
/usr/share/appusr/apache-ant-1.9.4/bin/ant -f
/usr/share/appusr/onworld-tools/scripts/config_deploy.xml
deploy-[a-zA-Z0-9\-] -Denv=uat
As far as I know, sudo does not support regular expressions in sudo
rules. It supports wildcards however, but that's not the same thing,
even though syntax is similiar. The matching is done using the glob(3)
and fnmatch(3) functions. See man sudoers, section wildcards.
Also, I don't think the sudo -ll expands the sudo commands with
wildcards. I just tried it with simple '/sbin/m*', and I see
Sudoers entry:
RunAsUsers: root
Commands:
/sbin/m*
Things work as expected, with me being able to execute executables in
sbin starting with the letter m.
I also purged /var/lib/sss/db and restated sssd thinking it might be
related to caching but it didn't help.
Thanks in advance!
HTH,
Tomas
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
