[augeas-devel] Equal sign in commands in sudoers.aug

Raphaël Pinson raphink at gmail.com
Mon Feb 13 14:38:21 UTC 2012 

As it turns out, I found a way. It cost me some stricter typechecking
on commands, but it reduces the typechecking to 1,4GB again. The idea
is to declare sto_to_com_cmnd as:

  let sto_to_com_cmnd =
        let alias = Rx.word - /(NO)?(PASSWD|EXEC|SETENV)/
     in let non_alias = /(!?\/([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#()
\t\n\\])|[^,=:#() \t\n\\]/
     in store (alias | non_alias)

Forcing the first character of a command to be "!" or "/" (unless it's
an alias) doesn't seem crazy, and this way the restriction is only
made to Rx.word, which is far less costly.


Raphaël


On Mon, Feb 13, 2012 at 3:21 PM, Raphaël Pinson <raphink at gmail.com> wrote:
> Hello all,
>
> I'm having an issue with sudoers.aug. I found that the lens currently
> doesn't allow "=" in commands, so I added a test for it (which,
> logically, fails):
>
>  test Sudoers.spec get "root ALL=(ALL) ALL /usr/bin/mylvmbackup
> --configfile=/etc/mylvbackup_amanda.conf\n" =
>    { "spec"
>      { "user" = "root" }
>      { "host_group"
>        { "host" = "ALL" }
>        { "command" = "ALL /usr/bin/mylvmbackup
> --configfile=/etc/mylvbackup_amanda.conf"
>          { "runas_user" = "ALL" } } } }
>
>
> Allowing "=" in the middle of commands means changing:
>
>  let sto_to_com_cmnd = store /([^,=:#()
> \t\n\\]([^=,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\])|[^,=:#() \t\n\\]/
>
> into
>
>  let sto_to_com_cmnd = store /([^,=:#()
> \t\n\\]([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\])|[^,=:#() \t\n\\]/
>
>
> That looks easy enough, unfortunately, it leads to an ambiguity, since
> commands could be named for example "SETENV" (using aliases for
> example), and then augeas wouldn't know how to parse this:
>
>  :A=SETENV:B=C
>
> which could either be parsed as:
>
>  { "host_group"
>     { "host" = "A" }
>     { "tag" = "SETENV" }
>     { "command" = "B=C" } }
>
> or
>
>  { "host_group"
>     { "host" = "A" }
>     { "command" = "SETENV" } }
>  { "host_group"
>     { "host" = "B" }
>     { "command" = "C" } }
>
>
> Obviously, the second solution is wrong, because "SETENV" (and
> /(NO)?(PASSWD|EXEC|SETENV)/ in general) is a reserved word for tags,
> which cannot be used as a command alias.
> Now, fixing this ambiguity is doable by saying:
>
> let sto_to_com_cmnd = store (/([^,=:#()
> \t\n\\]([^,:#()\n\\]|\\\\[=:,\\])*[^,=:#() \t\n\\])|[^,=:#() \t\n\\]/
> - /(NO)?(PASSWD|EXEC|SETENV)/)
>
>
> This typechecks fine, *but* it requires no less than 14GB of RAM to
> typecheck, which is unacceptable.
>
> Does anyone have an idea to implement this without falling into a huge
> pit of RAM and CPU usage?
>
>
> Cheers,
>
> Raphaël

More information about the augeas-devel mailing list