Skip to content

Commit

Permalink
Sudoers: support for negated command alias (Issue #262)
Browse files Browse the repository at this point in the history
  • Loading branch information
@raphink
Geoff Williams authored and raphink committed Sep 15, 2015
1 parent c5c7037 commit 58a009f
Show file tree
Hide file tree
Showing 2 changed files with 57 additions and 20 deletions.
46 changes: 27 additions & 19 deletions lenses/sudoers.aug
View file
Original file line number Diff line number Diff line change
Expand Up @@ -82,15 +82,37 @@ let sep_col = sep_cont_opt_build ":"
(* Variable: sep_dquote *)
let sep_dquote = Util.del_str "\""

(* Group: Negation expressions *)

(************************************************************************
* View: del_negate
* Delete an even number of '!' signs
*************************************************************************)
let del_negate = del /(!!)*/ ""

(************************************************************************
* View: negate_node
* Negation of boolean values for <defaults>. Accept one optional '!'
* and produce a 'negate' node if there is one.
*************************************************************************)
let negate_node = [ del "!" "!" . label "negate" ]

(************************************************************************
* View: negate_or_value
* A <del_negate>, followed by either a negated key, or a key/value pair
*************************************************************************)
let negate_or_value (key:lens) (value:lens) =
[ del_negate . (negate_node . key | key . value) ]

(* Group: Stores *)

(* Variable: sto_to_com_cmnd
sto_to_com_cmnd does not begin or end with a space *)
let sto_to_com_cmnd =

let sto_to_com_cmnd = del_negate . negate_node? . (
let alias = Rx.word - /(NO)?(PASSWD|EXEC|SETENV)/
in let non_alias = /(!?[\/a-z]([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\])|[^,=:#() \t\n\\]/
in store (alias | non_alias)
in let non_alias = /[\/a-z]([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\]|[^,=:#() \t\n\\]/
in store (alias | non_alias))

(* Variable: sto_to_com

Expand Down Expand Up @@ -251,10 +273,12 @@ let cmnd_alias = alias_entry "Cmnd_Alias" "command" sto_to_com_cmnd
* > 'Cmnd_Alias' Cmnd_Alias (':' Cmnd_Alias)*
*************************************************************************)
let alias = user_alias | runas_alias | host_alias | cmnd_alias

(************************************************************************
* Group: DEFAULTS
*************************************************************************)


(************************************************************************
* View: default_type
* Type definition for <defaults>
Expand All @@ -270,22 +294,6 @@ let default_type =
let value = store /[@:!>][^ \t\n\\]+/ in
[ label "type" . value ]

(************************************************************************
* View: del_negate
* Delete an even number of '!' signs
*************************************************************************)
let del_negate = del /(!!)*/ ""

(************************************************************************
* View: negate_node
* Negation of boolean values for <defaults>. Accept one optional '!'
* and produce a 'negate' node if there is one.
*************************************************************************)
let negate_node = [ del "!" "!" . label "negate" ]

let negate_or_value (key:lens) (value:lens) =
[ del_negate . (negate_node . key | key . value) ]

(************************************************************************
* View: parameter_flag
* A flag parameter for <defaults>
Expand Down
31 changes: 30 additions & 1 deletion lenses/tests/test_sudoers.aug
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,7 +183,8 @@ www-data +biglab=(rpinson)NOEXEC: ICAL \
{ "host_group"
{ "host" = "ALPHA" }
{ "command" = "/usr/bin/su [!-]*" }
{ "command" = "!/usr/bin/su *root*" } } }
{ "command" = "/usr/bin/su *root*"
{ "negate" } } } }
{}
{ "spec"
{ "user" = "@my\ admin\ group" }
Expand Down Expand Up @@ -326,3 +327,31 @@ test Sudoers.spec get "group+user somehost = ALL\n" =
{ "command" = "ALL" }
}
}

(* Test: Sudoers.spec
GH #262: Sudoers lens doesn't support `!` for command aliases *)
test Sudoers.spec get "%opssudoers ALL=(ALL) ALL, !!!BANNED\n" =
{ "spec"
{ "user" = "%opssudoers" }
{ "host_group"
{ "host" = "ALL" }
{ "command" = "ALL"
{ "runas_user" = "ALL" } }
{ "command" = "BANNED"
{ "negate" } }
}
}

(* Test: Sudoers.spec
Handle multiple `!` properly in commands *)
test Sudoers.spec get "%opssudoers ALL=(ALL) ALL, !!!/bin/mount\n" =
{ "spec"
{ "user" = "%opssudoers" }
{ "host_group"
{ "host" = "ALL" }
{ "command" = "ALL"
{ "runas_user" = "ALL" } }
{ "command" = "/bin/mount"
{ "negate" } }
}
}

0 comments on commit 58a009f

Please sign in to comment.