memorysafety
Add support for quoted arguments where man sudoers says we should
- [x] find out what characters normally need escaping and which don't if they are in quotes
- [ ] implement this in the parser
A user name, uid, group, gid, netgroup, nonunix_group or nonunix_gid may be enclosed in double quotes to avoid the need for escaping special characters. Alternately, special characters may be specified in escaped hex mode, e.g., \x20 for space. When using double quotes, any prefix characters must be in‐ cluded inside the quotes.
and
Unquoted strings must use a backslash (‘\’) to escape spaces and special characters. See Other special characters and reserved words for a list of characters that need to be escaped.
and
The following characters must be escaped with a backslash (‘\’) when used as part of a word (e.g., a user name or host name): ‘!’, ‘=’, ‘:’, ‘,’, ‘(’, ‘)’, ‘\’.
and
Note that the following characters must be escaped with a ‘\’ if they are used in command arguments: ‘,’, ‘:’, ‘=’, ‘\’.
(although this part of the man page says nothing about using quotes instead of escapes).
And there are some reserved words such as ALL, CHROOT, ROLE, TYPE, TIMEOUT, CWD, NOTBEFORE and NOTAFTER.
I have some more questions before I remove the "investigate" label. Right now we support quotes around the "include file" mechanism (for obvious reasons: whitespace) and Defaults (for obvious reasons: quotes are an integral part in some cases).
The question that pops in my mind: what is the role of quotes in a Command specification, and why exactly would you want to have special characters in a user name anyway.
Quotes don't seem to have a role in Command specifications (if I specify them I have to explicitly specify them on the command line as well). Also now that I read this issue again I'm not sure on why you would need to escape characters in a uid (a uid is spec'd as a # followed by a number)
Experimentally, a " should also be escaped; i.e. the documentation is not 100% reliable.