[Logcheck-devel] Bug#272969: logcheck-database: violations.ignore.d/logcheck-sudo can not handle spaces in directory names

[Wouter Koolen-Wijkstra]

Package: logcheck-database
Version: 1.2.27
Severity: normal

Dear maintainer,

The file violations.ignore.d/logcheck-sudo contains the following
pattern to filter out normal uses of sudo:
^\w{3} [ :0-9]{11} [._[:alnum:]-]+ sudo:[[:space:]]+[_[:alnum:]-]+ :
TTY=(unknown|pts/[0-9]+) ; PWD=[^[:space:]]+ ; USER=[
^[:space:]]+ ; COMMAND=/(usr|etc|bin|sbin)/.*$

The problem is the part that maches the directory where sudo was
executed by the user:
PWD=[^[:space:]]+ ;

This regexp presupposes that directory names do not contain spaces.
Spaces are not specially marked (e.g. '\ ') in the log. I propose to
not bother about them and just match upto the next ';' instead.
PWD=[^;]+;

This of course presupposes that directories do not contain ';'s. This
problem will remain, as directory names can contain anything, and sudo
does not mark the beginning or end. But directories containin ';' are (I
suppose) far less common than those containing sp
aces.

Best regards,

Wouter Koolen-Wijkstra



-- System Information:
Debian Release: 3.1
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)
Kernel: Linux 2.6.8optimized.1.8
Locale: LANG=C, LC_CTYPE=C

Versions of packages logcheck-database depends on:
ii  debconf [debconf-2.0]         1.4.36     Debian configuration management sy

-- debconf information:
  logcheck-database/conffile-cleanup: false
* logcheck-database/rules-directories-note:
  logcheck-database/standard-rename-note: