How to create and test REGEX commands for *NIX privileged commands in Access Manager

How to create and test REGEX commands for *NIX privileged commands in Access Manager

By Centrify ‎06-24-2018 04:54 PM

Firstly, what is a REGEX command? From Microsoft's documentation, a REGEX command is defined as the following. A regular expression is a pattern that the regular expression engine attempts to match in input text. A pattern consists of one or more character literals, operators, or constructs.

 

Secondly, what does a REGEX command look like? Here is an example: 

 

\/home\/deploy\/Documents\/Test\/[a-zA-Z0-9_.-]*$

 

 

This blog is going to try to take that confusing string of characters and allow you to create your own REGEX commands with a few simple steps and tips. 

 

Step 1:

Don't get overwhelmed. Just like any other programming code, once you understand the syntax it becomes simpler. Let's take our example from above. What does that command allow the user to do? It's a REGEX command that allows a user to run any command or script in a specific directory. In this case the directory is /home/deploy/Documents/Test

 

Step 2:

Use sections of previous commands that you know work. 

 

[a-zA-Z0-9_.-]

 

The above snippet allows for any lowercase letter from a-z along with any uppercase letter from A-Z, any number from 0-9, an underscore, a period and a dash. That pattern covers most of the scripts or commands a user would run. 

 

The * at the end of the string allows for this pattern to be repeated with the same parameters as many times as needed. 

 

[a-zA-Z0-9_.-]*

 

The $ is the end of the string. 

 

[a-zA-Z0-9_.-]*$

 

Now you just have to specify your path, if you require one. The syntax for any path starts with \/ and ends with that same pattern. 

 

So using that pattern and attaching the above regex, you get our complete command. 

 

\/home\/deploy\/Documents\/Test\/[a-zA-Z0-9_.-]*$

 

Step 3:

Use Regex101.com this is a tool that will save you so much time. Instead of creating your regex command and creating the command in Access Manager, assigning that to a role definition and then creating a role assignment. Refreshing the cache on your machine and testing the command to only see it fail. 

 

Regex101 allows you to play with the syntax and get instant match results. 

 

regextest.PNG

You insert your command in the 'Regular Expression' box at the top. You can test a sample input that a user would try, in the image above I'm testing a user who wants to run our install.sh script in that specific directory. You can see the results are a full match. So my command should work when I import it into Access Manager. 

 

Samples

 

Here are two more sample commands you can use for free ;)

 

The first command allows a user to use the chmod command in the specific directory /test/scripts

     a) (chmod) ([0-7]{3,4}) (\/test\/scripts\/[A-Za-z0-9\=_\/\-]+)

 

The second command allows a user to use the chown command in the same directory /test/scripts

     b) (chown) ([A-Za-z0-9\=_\/\:\-]+) (\/test\/scripts\/[A-Za-z0-9\=_\/\-]+)

 

Tips

 

When copy and pasting commands you write from regex101 to Access Manager, sometimes special characters won't be copied over correctly. For example, the dash '-' can seem shorter in Access Manager after it's been copied. If the command fails on your UNIX machine but it matches in Regex101 the first thing to rule out is a copy/paste issue. Please type out the full command in Access Manager to avoid this issue. 

 

For additional regex syntax please reference this MS online document.

 

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel