From 2a2686188674bee2b19bef5f09b11f80fd63046b Mon Sep 17 00:00:00 2001
From: Dan Fandrich <danf@mageia.org>
Date: Mon, 30 Sep 2024 16:38:20 -0700
Subject: Tighten the sudo for the maintdb scripts

Make sudoers a bit more robust against attempts to play with the
arguments. Unfortunately, our sudo is too old to support regexes.
---
 modules/buildsystem/templates/maintdb/sudoers.maintdb | 6 ++++--
 modules/buildsystem/templates/maintdb/wrapper.maintdb | 3 +--
 2 files changed, 5 insertions(+), 4 deletions(-)

(limited to 'modules')

diff --git a/modules/buildsystem/templates/maintdb/sudoers.maintdb b/modules/buildsystem/templates/maintdb/sudoers.maintdb
index c4bef4cb..4744e534 100644
--- a/modules/buildsystem/templates/maintdb/sudoers.maintdb
+++ b/modules/buildsystem/templates/maintdb/sudoers.maintdb
@@ -1,2 +1,4 @@
-%<%= scope.lookupvar('buildsystem::var::groups::packagers') %>   ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %>
-<%= scope.lookupvar('buildsystem::var::scheduler::login') %>    ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %>
+%<%= scope.lookupvar('buildsystem::var::groups::packagers') %>   ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* [gs]et [a-zA-Z0-9]*
+%<%= scope.lookupvar('buildsystem::var::groups::packagers') %>   ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* set [a-zA-Z0-9]* [a-z]*
+<%= scope.lookupvar('buildsystem::var::scheduler::login') %>    ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* [gs]et [a-zA-Z0-9]*
+<%= scope.lookupvar('buildsystem::var::scheduler::login') %>    ALL =(<%= scope.lookupvar('buildsystem::var::maintdb::login') %>) NOPASSWD: <%= scope.lookupvar('buildsystem::var::maintdb::binpath') %> [a-z]* set [a-zA-Z0-9]* [a-z]*
diff --git a/modules/buildsystem/templates/maintdb/wrapper.maintdb b/modules/buildsystem/templates/maintdb/wrapper.maintdb
index 2adddd1e..fcf69dab 100644
--- a/modules/buildsystem/templates/maintdb/wrapper.maintdb
+++ b/modules/buildsystem/templates/maintdb/wrapper.maintdb
@@ -22,5 +22,4 @@ then
    exit 1
 fi
 
-sudo -u "$maintdbuser" "$maintdbpath" $(whoami) $@
-
+sudo -u "$maintdbuser" "$maintdbpath" $(whoami) "$@"
-- 
cgit v1.2.1