Skip to content

Use final matching rule when determining if a command is permitted #1

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Use final matching rule when determining if a command is permitted #1

wants to merge 1 commit into from

Conversation

localspook
Copy link

Currently, a command is permitted only if there are no other rules denying it anywhere in the config file. This is inconsistent with the original doas. From the doas.conf manpage:

The last matching rule determines the action taken.  If no rule matches, the action is denied.

So, given the following config file:

deny l33thaxor cmd cmatrix
permit l33thaxor cmd cmatrix

doas permits l33thaxor to run cmatrix, but rsudoas doesn't.

The key changes are:

Rules::try_from(&str) is replaced with config::parse_into_rules, which returns an ordered list of rules.
Rules::r#match is replaced with Rule::matches, which checks if an individual rule matches.

As a side effect of the changes, this commit fixes another inconsistency where the original doas did not allow using the nopass option with deny rules, but rsudoas did.

@localspook
Use final matching rule when determining if a command is permitted
e1cc239 
Before, a command was permitted only if there were no other
rules denying it *anywhere* in the file. This is inconsistent
with the original doas.

As a side effect of the changes, this commit fixes another
inconsistency where the original doas did not allow
using the `nopass` option with `deny` rules, but rsudoas did.
localspook
localspook commented Dec 25, 2023
View reviewed changes
src/lib.rs
type Error = String;

fn try_from(config: &str) -> Result<Self, Self::Error> {
pub fn parse_into_rules(config: &str) -> Result<Vec<Rule>, String> {
Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

parse_into_rules() is now incorrectly indented, but if I change the whitespace the diff becomes really hard to read >_<

@TheDcoder
Copy link
Member

Good catch, this is something I noticed as well but I had already finished the current matching logic by that time.

I'm still not sure if I should switch to doas's simpler matching logic... perhaps I should offer this as a compile time option.

I'd like to gather more feedback from actual doas users.

Thanks for the PR in any case, mind if I ask how you stumbled upon this project?

TheDcoder
TheDcoder reviewed Dec 31, 2023
View reviewed changes
src/main.rs
}
let config = std::fs::read_to_string(config_file).expect("Failed to read config");
let rules = match Rules::try_from(&*config) {
// Make sure the config file ends with a newline.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why?

TheDcoder
TheDcoder reviewed Dec 31, 2023
View reviewed changes
src/lib.rs
match (&*token, pure) {
("nopass", true) => rule.options.nopass = true,
("nopass", true) => match rule.action {
RuleAction::Deny => return Err("The nopass option cannot be used with the deny action".to_string()),
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What does doas do in this case?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheDcoder TheDcoder TheDcoder left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@localspook @TheDcoder