)]}'
{"openstack/monasca-agent/openstack-monasca-agent.sudoers":[{"author":{"_account_id":12907,"name":"Jan Zerebecki","email":"jan.openstack@zerebecki.de","username":"jzerebecki"},"change_message_id":"055824fac55e1f21d5b82f88eb1c11f1687aa335","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# Needed for monasca_agent.collector.checks_d.swift_diags"},{"line_number":2,"context_line":"monasca-agent ALL \u003d (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip netns exec * /bin/ping *,/usr/bin/ovs-vsctl"},{"line_number":3,"context_line":"# Needed for monasca_agent.collector.checks_d.postfix"},{"line_number":4,"context_line":"monasca-agent ALL \u003d (root) NOPASSWD:NOEXEC:/usr/bin/find"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"ff570b3c_689e3664","line":2,"range":{"start_line":2,"start_character":111,"end_line":2,"end_character":112},"updated":"2020-05-11 15:57:42.000000000","message":"This allows any command by something like:\nip netns exec NS bash -c \u0027whoami\u0027 /bin/ping foo \n\nTo avoid this, replace the first * with:\n[! ]","commit_id":"5f8058dc47d7125a73be8c12c9ef3b48c5be82ba"},{"author":{"_account_id":12907,"name":"Jan Zerebecki","email":"jan.openstack@zerebecki.de","username":"jzerebecki"},"change_message_id":"660362a07c43d529a96444445ceb70418c213b2c","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# Needed for monasca_agent.collector.checks_d.swift_diags"},{"line_number":2,"context_line":"monasca-agent ALL \u003d (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip netns exec * /bin/ping *,/usr/bin/ovs-vsctl"},{"line_number":3,"context_line":"# Needed for monasca_agent.collector.checks_d.postfix"},{"line_number":4,"context_line":"monasca-agent ALL \u003d (root) NOPASSWD:NOEXEC:/usr/bin/find"}],"source_content_type":"application/octet-stream","patch_set":2,"id":"ff570b3c_3eed98ef","line":2,"range":{"start_line":2,"start_character":111,"end_line":2,"end_character":112},"in_reply_to":"ff570b3c_689e3664","updated":"2020-05-11 17:09:12.000000000","message":"Keith pointed out in chat, that this won\u0027t work. I misread the documentation. As https://github.com/sudo-project/sudo/blob/6c1b155fed23348c58a03f6c1193922132b5b66a/plugins/sudoers/match_command.c#L83 is using fnmatch without FNM_EXTMATCH, there is no way to restrict this from allowing any commands while allowing a variable length namespace.","commit_id":"5f8058dc47d7125a73be8c12c9ef3b48c5be82ba"},{"author":{"_account_id":12907,"name":"Jan Zerebecki","email":"jan.openstack@zerebecki.de","username":"jzerebecki"},"change_message_id":"4031a9d79597a8e86adaa7a78fe5950bebd3cfd9","unresolved":false,"context_lines":[{"line_number":1,"context_line":"# Needed for monasca_agent.collector.checks_d.swift_diags"},{"line_number":2,"context_line":"monasca-agent ALL \u003d (root) NOPASSWD:/usr/local/bin/diagnostics,/usr/local/bin/swift-checker,/bin/ip netns exec qrouter-????????-????-????-????-???????????? /bin/ping *,/usr/bin/ovs-vsctl"},{"line_number":3,"context_line":"# Needed for monasca_agent.collector.checks_d.postfix"},{"line_number":4,"context_line":"monasca-agent ALL \u003d (root) NOPASSWD:NOEXEC:/usr/bin/find"}],"source_content_type":"application/octet-stream","patch_set":3,"id":"ff570b3c_59bfc6fa","line":2,"range":{"start_line":2,"start_character":119,"end_line":2,"end_character":120},"updated":"2020-05-11 17:56:52.000000000","message":"Good idea. The ? still allow space, so if you replace these with the negation of space [! ] then it will work.","commit_id":"ce26bbbbb9afe35a2d6354bf9e225aa2e374afc6"}]}