UGFja2FnZTogc3VkbwpWZXJzaW9uOiAxLjkuMTNwMy0xK2RlYjEydTEKU2V2ZXJpdHk6IG5vcm1h bApYLURlYmJ1Z3MtQ2M6IGZyYW5jb2lzQGhvbXBzLmZyCgpEZWFyIE1haW50YWluZXIsCgpzdWRv IGRvZXMgbm90IHNlZW0gdG8gcGFyc2UgcmVndWxhciBleHByZXNzaW9ucyBpbiBzdWRvZXJzIGZp bGVzIHByb3Blcmx5LgptYW4gc3VkbyBzdGF0ZXMgaXQgc2hvdWxkIGJlIGFibGUgdG8gZG8gc28g c2luY2UgMS45LjEwLgpJIGhhdmUgbm90IHRlc3RlZCB0aGUgZGViaWFuIHRlc3RpbmcgdmVyc2lv biAoMS45LjE2KSBhcyBJIGFtIG5vdCBjb21mb3J0YWJsZSByZXBsYWNpbmcgYW4gaW1wb3J0YW50 IHNlY3VyaXR5IGJpbmFyeSB3aXRoIGEgdGVzdGluZyB2ZXJzaW9uLgoKSSBmb3VuZCB0aGlzIHdo aWxlIGJ1aWxkaW5nIGFuIGluc3RhbmNlZCBzeXN0ZW1kIHNlcnZpY2UgZm9yIG1pbmVjcmFmdCBz ZXJ2ZXJzLgpJZGVhbGx5LCBJIHdhbnQgdXNlcnMgb2YgdGhlIGdyb3VwICJtaW5lY3JhZnQiIHRv IGJlIGFibGUgdG8gc3RhcnQgLyBzdG9wIC8gcmVzdGFydCBhbnkgaW5zdGFuY2Ugb2YgdGhlIHNl cnZpY2UuCk9uZSBzdWNoIGluc3RhbmNlIChmb3IgZXhhbXBsZSBwdXJwb3NlcykgaXMgbmFtZWQg InZhbmlsbGEiLgoKSSB0cmllZCB0byBwdXQgdGhlIGZvbGxvd2luZyBpbiAvZXRjL3N1ZG9lcnMu ZC9taW5lY3JhZnQ6CgolbWluZWNyYWZ0IEFMTD0gTk9QQVNTV0Q6IC9iaW4vc3lzdGVtY3RsIHN0 YXJ0IG1pbmVjcmFmdEBeW2EtekEtWjAtOV9dKyQKKGFuZCBlcXVpdmFsZW50IGZvciBzdG9wIGFu ZCByZXN0YXJ0KQoKdmlzdWRvIGZpbmRzIG5vIGVycm9ycyBidXQgdGhlIGxpbmUgaXMgbm90IHRh a2VuIGludG8gYWNjb3VudC4Kc2ltcGxlciB2YXJpYW50cyBvZiB0aGUgcmVnZXggc3VjaCBhcyBt aW5lY3JhZnRAXnZhbmlsbGEkIG9yIF5taW5lY3JhZnRAdmFuaWxsYSQgZG8gbm90IHdvcmsgZWl0 aGVyLgoKTWFudWFsbHkgdHlwaW5nIHRoZSBpbnN0YW5jZSBuYW1lcyB3aXRoIG5vIHJlZ2V4IHdv cmtzOgoKJW1pbmVjcmFmdCBBTEw9IE5PUEFTU1dEOiAvYmluL3N5c3RlbWN0bCBzdGFydCBtaW5l Y3JhZnRAdmFuaWxsYQoKU3Vkb2VycyB3aWxkY2FyZHMgYWxzbyB3b3JrOgoKJW1pbmVjcmFmdCBB TEw9IE5PUEFTU1dEOiAvYmluL3N5c3RlbWN0bCBzdGFydCBtaW5lY3JhZnRAKgoKYnV0IGFyZSBu b3QgYWNjZXB0YWJsZSBpbiB0aGlzIHNpdHVhdGlvbiwgc2luY2UgKiBtYXRjaGVzIHdoaXRlc3Bh Y2UsIGFsbG93aW5nIGNvbW1hbmRzIHN1Y2ggYXMKCnN1ZG8gc3lzdGVtY3RsIHN0b3AgbWluZWNy YWZ0QHZhbmlsbGEgY3JpdGljYWxfc2VydmljZQoKQmVzdCwKRnJhbsOnb2lzCgotLSBTeXN0ZW0g SW5mb3JtYXRpb246CkRlYmlhbiBSZWxlYXNlOiAxMi4xMAogIEFQVCBwcmVmZXJzIHN0YWJsZS11 cGRhdGVzCiAgQVBUIHBvbGljeTogKDUwMCwgJ3N0YWJsZS11cGRhdGVzJyksICg1MDAsICdzdGFi bGUtc2VjdXJpdHknKSwgKDUwMCwgJ3N0YWJsZScpCkFyY2hpdGVjdHVyZTogYW1kNjQgKHg4Nl82 NCkKCktlcm5lbDogTGludXggNi4xLjAtMzEtYW1kNjQgKFNNUCB3LzE2IENQVSB0aHJlYWRzOyBQ UkVFTVBUKQpMb2NhbGU6IExBTkc9ZW5fVVMuVVRGLTgsIExDX0NUWVBFPWVuX1VTLlVURi04IChj aGFybWFwPVVURi04KSwgTEFOR1VBR0U9ZW5fVVM6ZW4KU2hlbGw6IC9iaW4vc2ggbGlua2VkIHRv IC91c3IvYmluL2Rhc2gKSW5pdDogc3lzdGVtZCAodmlhIC9ydW4vc3lzdGVtZC9zeXN0ZW0pCkxT TTogQXBwQXJtb3I6IGVuYWJsZWQKClZlcnNpb25zIG9mIHBhY2thZ2VzIHN1ZG8gZGVwZW5kcyBv bjoKaWkgIGluaXQtc3lzdGVtLWhlbHBlcnMgIDEuNjUuMgppaSAgbGliYXVkaXQxICAgICAgICAg ICAgMTozLjAuOS0xCmlpICBsaWJjNiAgICAgICAgICAgICAgICAyLjM2LTkrZGViMTJ1MTAKaWkg IGxpYnBhbS1tb2R1bGVzICAgICAgIDEuNS4yLTYrZGViMTJ1MQppaSAgbGlicGFtMGcgICAgICAg ICAgICAgMS41LjItNitkZWIxMnUxCmlpICBsaWJzZWxpbnV4MSAgICAgICAgICAzLjQtMStiNgpp aSAgemxpYjFnICAgICAgICAgICAgICAgMToxLjIuMTMuZGZzZy0xCgpzdWRvIHJlY29tbWVuZHMg bm8gcGFja2FnZXMuCgpzdWRvIHN1Z2dlc3RzIG5vIHBhY2thZ2VzLgoKLS0gQ29uZmlndXJhdGlv biBGaWxlczoKL2V0Yy9zdWRvZXJzIGNoYW5nZWQ6CkRlZmF1bHRzCWVudl9yZXNldApEZWZhdWx0 cwltYWlsX2JhZHBhc3MKRGVmYXVsdHMJc2VjdXJlX3BhdGg9Ii91c3IvbG9jYWwvc2JpbjovdXNy L2xvY2FsL2JpbjovdXNyL3NiaW46L3Vzci9iaW46L3NiaW46L2JpbiIKRGVmYXVsdHMJdXNlX3B0 eQpyb290CUFMTD0oQUxMOkFMTCkgQUxMCiVzdWRvCUFMTD0oQUxMOkFMTCkgQUxMCkBpbmNsdWRl ZGlyIC9ldGMvc3Vkb2Vycy5kCgoKLS0gbm8gZGViY29uZiBpbmZvcm1hdGlvbgo=

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 15, 2025 at 03:43:00PM +0100, fhomps wrote:

sudo does not seem to parse regular expressions in sudoers files properly. >man sudo states it should be able to do so since 1.9.10.
I have not tested the debian testing version (1.9.16) as I am not comfortable replacing an important security binary with a testing version.

You should not install binary packages from testing on stable anyway.
Good decision.

If it is a bug in sudo, it is not going to be addressed in Debian 12,
though, and I apologize for that.

I found this while building an instanced systemd service for minecraft servers.
Ideally, I want users of the group "minecraft" to be able to start / stop / restart any instance of the service.
One such instance (for example purposes) is named "vanilla".

I tried to put the following in /etc/sudoers.d/minecraft:

%minecraft ALL= NOPASSWD: /bin/systemctl start minecraft@^[a-zA-Z0-9_]+$
(and equivalent for stop and restart)

I have not tried this myself, but the man page says:

| A command is a fully qualified file name, which may include shell-style
| wildcards (see the “Wildcards” section below), or a regular expression
| that starts with ‘^’ and ends with ‘$’ (see the “Regular expressions”
| section below).

It doesn't say that you can arbitrarily mix string literals and regexps.

Did you try

%minecraft ALL= NOPASSWD: ^/bin/systemctl start minecraft@[a-zA-Z0-9_]+$

I don't know whether the @ or the + need escaping. Try all variants
please.

There is also language saying

| Command line arguments can
| include wildcards or be a regular expression that starts with ‘^’ and
| ends with ‘$’. If the command line arguments consist of ‘""’, the com‐
| mand may only be run with no arguments.

So

%minecraft ALL= NOPASSWD: /bin/systemctl ^start minecraft@[a-zA-Z0-9_]+$

might also work, but this still doesn't give any indication that your
mixture of a regexp and a string literal works.

Greetings
Marc


-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Hi Marc,

Thanks for the lightning fast reply.

Did you try

%minecraft ALL= NOPASSWD: ^/bin/systemctl start minecraft@[a-zA-Z0-9_]+$

This does not work, but...

%minecraft ALL= NOPASSWD: /bin/systemctl ^start minecraft@[a-zA-Z0-9_]+$

...this does. Thus, problem solved for my use case. Thanks a lot!

Digging deeper, if I understand the EBNF notation in the manpage properly:

command name ::= regex |
file name

command ::= command name |
command name args |
command name regex |
command name '""' |
ALL

then "command name" should be able to be a regex too.
Since in your first suggestion command name and args are part of the same regex, I tried splitting them:

%minecraft ALL= NOPASSWD: ^/bin/systemctl$ ^start minecraft@[a-zA-Z0-9_]+$

However, this still does not work.
Just in case, I also tried forfeiting the second regex, which did not help:

%minecraft ALL= NOPASSWD: ^/bin/systemctl$ start minecraft@vanilla

Thus I'd argue there is still a bug.

Best,
François

On Saturday, March 15th, 2025 at 4:12 PM, Marc Haber <mh+debian-packages@zugschlus.de> wrote:

On Sat, Mar 15, 2025 at 03:43:00PM +0100, fhomps wrote:

sudo does not seem to parse regular expressions in sudoers files properly. man sudo states it should be able to do so since 1.9.10.
I have not tested the debian testing version (1.9.16) as I am not comfortable replacing an important security binary with a testing version.

You should not install binary packages from testing on stable anyway.
Good decision.

If it is a bug in sudo, it is not going to be addressed in Debian 12,
though, and I apologize for that.

I found this while building an instanced systemd service for minecraft servers.
Ideally, I want users of the group "minecraft" to be able to start / stop / restart any instance of the service.
One such instance (for example purposes) is named "vanilla".

I tried to put the following in /etc/sudoers.d/minecraft:

%minecraft ALL= NOPASSWD: /bin/systemctl start minecraft@^[a-zA-Z0-9_]+$ (and equivalent for stop and restart)

I have not tried this myself, but the man page says:

| A command is a fully qualified file name, which may include shell-style
| wildcards (see the “Wildcards” section below), or a regular expression | that starts with ‘^’ and ends with ‘$’ (see the “Regular expressions”
| section below).

It doesn't say that you can arbitrarily mix string literals and regexps.

Did you try

%minecraft ALL= NOPASSWD: ^/bin/systemctl start minecraft@[a-zA-Z0-9_]+$

I don't know whether the @ or the + need escaping. Try all variants
please.

There is also language saying

| Command line arguments can
| include wildcards or be a regular expression that starts with ‘^’ and
| ends with ‘$’. If the command line arguments consist of ‘""’, the com‐
| mand may only be run with no arguments.

So

%minecraft ALL= NOPASSWD: /bin/systemctl ^start minecraft@[a-zA-Z0-9_]+$

might also work, but this still doesn't give any indication that your
mixture of a regexp and a string literal works.

Greetings
Marc

-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On Sat, Mar 15, 2025 at 04:48:10PM +0000, François Homps wrote:

Thus I'd argue there is still a bug.

Would you mind taking this to the upstream mailing list? Todd might be
helpful here, and probably develop a fix.

That fix will, however, NOT go into Debian 12. It might be in Debian 13.

Greetings
Marc


-- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)