pleaser, a sudo clone with regex all over the place in rust

edneville · 2020-11-02 19:32:38

Hello,

Not sure if this is the right place to announce this.

I've wanted regex in sudo for a long time, but it hasn't been accepted, the PR went stale. However, as I have to make rather cumbersome rules for subsets of commands, I thought, why not do something new that covers what I need and I came up with this.

https://aur.archlinux.org/packages/pleaser/

The idea is that a sysadmin (you) can delegate some access, such as this:

[docker_run]
name=ed
target=root
regex = ^(/usr)?/bin/docker\s+run\s+-it\s+(--rm)?\s+(archlinux|debian|fedora|oraclelinux):latest\s+/bin/bash
require_pass=false

$ please docker run -it --rm archlinux:latest /bin/bash

Whilst this would be disallowed, since you probably don't want to allow a container to modify /etc/shadow:

$ please docker run -it --rm -v /etc:/etc:rw oraclelinux:6-latest /bin/bash

I've written it in rust for various reasons and, well unittests.

Issues and PRs welcome (https://gitlab.com/edneville/please), would be great to hear from others.

Last edited by edneville (2020-11-02 19:48:35)

dmerej · 2020-11-03 17:38:15

Would be nice not to have to mess around with `sudo's` ah-hoc syntax anymore - this is a nice improvement I think. Thanks for sharing

figue · 2021-01-27 14:21:30

Hi @edneville thanks for this.

I was trying to write some rules, basically I was trying a very simple rule to elevate from my user to root, something like I do in this way with sudo:

figue ALL=(ALL) ALL

So, I've added this to please.ini:

[figue_root]
name = figue
type = run
target = root
permit = true
regex = .*
require_pass = true

With this, password seems not accepted and it prompts again and again. In journal I see this:

ene 27 14:27:36 pluto please[115770]: pam_warn(please:auth): function=[pam_sm_authenticate] flags=0 service=[please] terminal=[<unknown>] user=[<unknown>] ruser=[<unknown>] rhost=[<unknown>]
ene 27 14:27:36 pluto please[115770]: pam_warn(please:setcred): function=[pam_sm_setcred] flags=0x4 service=[please] terminal=[<unknown>] user=[<unknown>] ruser=[<unknown>] rhost=[<unknown>]

If I set "require_pass = false" it works fine, though.

Am I doing something wrong?

Last edited by figue (2021-01-27 14:21:56)

edneville · 2021-01-31 11:55:22

figue wrote:

With this, password seems not accepted and it prompts again and again. In journal I see this:

Thanks for reporting this. It was an error in the package, not what you were doing.

This is fixed now I believe, any issues let me know.

frostschutz · 2021-01-31 12:15:48

so, out of curiosity

the regex is unaware where parameters start/end, no way to differentiate `foo bar baz` vs. `foo "bar baz"`? since it just uses \s+ (any white space) to separate them?

in your example, it would not only allow

$ please docker run -it --rm archlinux:latest /bin/bash

but also this?

$ please docker run "-it --rm" archlinux:latest /bin/bash

if so, this would already break semantic (allows to run more commands than just the intended ones) and might be security relevant in some contexts

figue · 2021-01-31 13:10:27

edneville wrote:

figue wrote:
With this, password seems not accepted and it prompts again and again. In journal I see this:
Thanks for reporting this. It was an error in the package, not what you were doing.
This is fixed now I believe, any issues let me know.

Thanks.

Edit: After forcing a rebuild, all is ok now.

Last edited by figue (2021-02-01 23:45:25)

eschwartz · 2021-01-31 15:58:01

frostschutz wrote:

so, out of curiosity
the regex is unaware where parameters start/end, no way to differentiate `foo bar baz` vs. `foo "bar baz"`? since it just uses \s+ (any white space) to separate them?
in your example, it would not only allow
$ please docker run -it --rm archlinux:latest /bin/bash
but also this?
$ please docker run "-it --rm" archlinux:latest /bin/bash
if so, this would already break semantic (allows to run more commands than just the intended ones) and might be security relevant in some contexts

Anyone who is using some completely unvetted personal pet project and expects security is a very great fool. There's a reason people don't constantly reinvent sudo, and there are only a handful of alternatives -- polkit/pkexec which is backed by Freedesktop, and doas backed by OpenBSD.

"Here is my completely anonymous rust project" was highly suspicious even before one considers the use of regex, which is, um, a very complicated way to mess up.

edneville · 2021-01-31 18:07:51

frostschutz wrote:

in your example, it would not only allow
$ please docker run -it --rm archlinux:latest /bin/bash
but also this?
$ please docker run "-it --rm" archlinux:latest /bin/bash
if so, this would already break semantic (allows to run more commands than just the intended ones) and might be security relevant in some contexts

Yes, that is currently intentional. Parity with sudo would replace ' ' with '\ ', something I can add to 0.4. I was hoping to think of a better way to do this before settling with escapes, the user should really have look and feel of regex from grep and rewriterule, without surprise. It is doing what I want, and I'm more than happy to take input from others.

eschwartz wrote:

Anyone who is using some completely unvetted personal pet project and expects security is a very great fool. There's a reason people don't constantly reinvent sudo, and there are only a handful of alternatives -- polkit/pkexec which is backed by Freedesktop, and doas backed by OpenBSD.
"Here is my completely anonymous rust project" was highly suspicious even before one considers the use of regex, which is, um, a very complicated way to mess up.

Unfortunately, neither sudo or doas have regex parsing, which for long rule sets is something that is sorely missed.

Out of interest, how is vetting of sudo going, I don't want to fixate on it, but it's been vetted many times by many organisations, and this isn't just for sudo but perhaps more a C failing. I welcome opinion on pleaser, the more eyes the better. BTW, have you tried using * in a sudo rule - that introduces far more risk and surprises the user far more than any regex possibly could.

frostschutz · 2021-02-01 11:32:10

How about using \0, the traditional argument separator?

$ hexdump -C /proc/self/cmdline vs " spaces "
00000000  68 65 78 64 75 6d 70 00  2d 43 00 2f 70 72 6f 63  |hexdump.-C./proc|
00000010  2f 73 65 6c 66 2f 63 6d  64 6c 69 6e 65 00 76 73  |/self/cmdline.vs|
00000020  00 20 73 70 61 63 65 73  20 00                    |. spaces .|
0000002a
hexdump: vs: No such file or directory
hexdump:  spaces : No such file or directory

Rust's regex engine should be able to match null bytes https://docs.rs/regex/1.4.3/regex/bytes … ted-string

the user should really have look and feel of regex from grep and rewriterule

Well, regular expressions are hard to work with. You could use a shell-like syntax (whitespace splitting, quoting and brace expansion) to express the same thing

this

regex = ^(/usr)?/bin/docker\s+run\s+-it\s+(--rm)?\s+(archlinux|debian|fedora|oraclelinux):latest\s+/bin/bash

could be written as

command = docker run -it {--rm}? {archlinux,debian,fedora,oraclelinux}:latest /bin/bash

/usr/bin condition could be implied so it need not be specified for every single command (or there could be separate path = setting)

{a,b,c} syntax is shell expansion like

$ echo {archlinux,debian,fedora,oraclelinux}:latest
archlinux:latest debian:latest fedora:latest oraclelinux:latest

that way it would be very clear what is allowed for each argument w/o resorting to cryptic looking regular expression syntax

just throwing ideas around, since I randomly came across this thread. I don't use sudo at all actually ;-)

Dealing with suid binary esoterics is a different can of worms entirely, so I won't comment on that (haven't looked at your code at all either)

It's your project so it's up to you, I wish you all the best

Arch Linux

#1 2020-11-02 19:32:38

pleaser, a sudo clone with regex all over the place in rust

#2 2020-11-03 17:38:15

Re: pleaser, a sudo clone with regex all over the place in rust

#3 2021-01-27 14:21:30

Re: pleaser, a sudo clone with regex all over the place in rust

#4 2021-01-31 11:55:22

Re: pleaser, a sudo clone with regex all over the place in rust

#5 2021-01-31 12:15:48

Re: pleaser, a sudo clone with regex all over the place in rust

#6 2021-01-31 13:10:27

Re: pleaser, a sudo clone with regex all over the place in rust

#7 2021-01-31 15:58:01

Re: pleaser, a sudo clone with regex all over the place in rust

#8 2021-01-31 18:07:51

Re: pleaser, a sudo clone with regex all over the place in rust

#9 2021-02-01 11:32:10

Re: pleaser, a sudo clone with regex all over the place in rust

Board footer