memorysafety
Error when parsing sudoers configuration with domain groups / groups with "@domain"
Describe the bug
sudo-rs seems to be unable to work with active directory domain groups in sudoers files. Seems it stumbles upon the @ when parsing those files.
To Reproduce Steps to reproduce the behavior:
- Install ' sudo-rs` on Ubuntu 24.04 using apt
- Use the default contents in
/etc/sudoers-rs - Create a sudoers configuration such as
/etc/sudoers.d/01_server_admins_group
%[email protected] ALL=(ALL) NOPASSWD: ALL
- Run the following command
sudo-rs ls - See error:
/etc/sudoers.d/01_server_admins_group:2:13: expected host name
%[email protected] ALL=(ALL) NOPASSWD: ALL
^
Thanks for opening this issue. For user names I based the tokeniser on the available info (e.g. a user name is an alphanumeric string which might contain dots, underscores & hyphens).
Also see https://systemd.io/USER_NAMES/
Maybe we should also allow the $ sign as a final character in user names?
Note: a general solution allowing @ in the syntax introduces a truly locally ambiguous grammar, since then we can not distinguish (easily) between:
Defaults@host setting=value
username@domain hostname=rule
E.g.
Defaults@domain env_keep=ALL
does that grant a permission to run all commands on the server env_keep to the user Defaults@domain? Of course not.
This is not a problem in the cited example above since it involves groups and those start with % which is unambiguous. So my proposed solution would be as follows:
- Create a seperate
Groupnametoken that is like Username but also accepts@. - Add support for
@in usernames using escape sequences, e.g. allowing them but they would have to be surrounded by quotes to resolve the ambiguity. - And like mentioned previously, probably also accept
$as the final character, since apparently those can happen.
Alright, so since the Defaults syntax was already ambiguous, we can lean into that and it's probably actually not as messy to fix.