rpcd / acl.d problem

[Paul D]

Can this be fixed or is lib micro box the limitation?

See jows commit for the current apex of permission strings:

https://git.openwrt.org/?p=project/rpcd.git;a=commitdiff;h=aaa08366e6384d9933a405d1218b03c1b167f9e5



In https://github.com/openwrt/luci/pull/6907 I encountered a permissions 
problem. The command to permit is:

/usr/bin/find -L /dev -maxdepth 3 -type c -name lp[0-9]

That is, the find command needs a regex of lp[0-9], to find only the 
following:

lp0
lp1
...
lp9


The find man page says:


      -name pattern
              True if the last component of the pathname being examined 
matches pattern.  Special shell pattern matching characters (“[”, “]”, 
“*”, and “?”) may be used as part of pattern.  These characters may be
              matched explicitly by escaping them with a backslash (“\”).


The acl.d file expects a filter in the 
/root/usr/share/rpcd/acl.d/luci-*.json JSON, but it does not understand 
the literal command:

"/usr/bin/find -L /dev -maxdepth 3 -type c -name lp[0-9]": ["exec"]

causes 403. It anticipates lp0, lp1, ... in the command.

"/usr/bin/find -L /dev -maxdepth 3 -type c -name lp\[0-9\]": ["exec"]

Causes also 403 but the page does not even load. My JSON parser dislikes 
this also.

So the workaround is to use the glob: *

/usr/bin/find -L /dev -maxdepth 3 -type c -name lp*


where the author of the above commit says:

"(do not use glob *, as) This will prevent unwanted parameter injection."

¯\_(ツ)_/¯