Summary

Wild card characters * and ? may be used in most positions of an Access Route. The asterisk * can match multiple characters in a file, user or host name or IP address. The question mark ? matches one character in a file, user, host name or IP address.

  • Access Methods
  • Host names
  • IP address ranges
  • Usernames
  • Program definitions (SUEXEC and WINRUNAS)
  • Terminals

Wild card characters * and ? may be in the program definition in Access Routes and program groups. Additionally, character ranges (e.g. [A-Z]) are allowed for program arguments in Access Routes and program groups.

Character classes (e.g. [:lower:]) are never allowed.

A quick color-coded guide to wild cards in Access Routes

LOGIN: tty->tohost

SU: fromuser@tty->touser@tohost

TELNET: fromhost->tohost

RLOGIN: fromuser@fromhost->tohost

SUEXEC: fromuser@tty->touser@tohost prog args

  • Wild cards '?' and '*'

  • Wild cards '?' and '*', but wild cards will not match root.

  • Wild card matching in segments for hostnames and IP addresses. Host Groups must match exactly.

  • fnmatch wild card matching.

Description

Wild card usage in Access Routes:

Access Method:

  • Wild cards "*" and "?" can be used, but all administration methods must be matched exactly, and will not match a wild card. These methods are:
    • BOKSADM - Old GUI
    • BCCAS - FCC and Web Services Interface
    • PWADM - Administrative access to Password Manager
    • PWMGR - Access to Password Manager GUI
  • Please note that PWCO (ability to check out user passwords) does match wild cards.
  • All syntax must be correct. For instance, a "*" matches all other access methods, but not all have the same syntax. Source location for LOGIN, SU, SUEXEC, SWROLE and WINRUNAS is a terminal, but others are hosts/Host Groups/ IP addresses.

Wild card matching of host names and IP addresses is done in segments. For host names, each domain component is matched separately and for IP addresses each network segment is matched separately.

Example:

The hostname alpha.beta.gamma.com will be matched by the expression '*.*.gamma.com' but not the expression '*.gamma.com'.

Similarly for IP addresses: The address 192.168.1.100 will be matched by the expression '192.168.*.*' but not the expression '192.168.*'.

In fact, '192.168.*' is an invalid expression in BoKS as IPv4 wild card addresses must define 4 network segments and IPv6 wild card addresses must define 8 network segments.

There is one exception to the segment matching rule. If the variable HOSTSTARMATCHALL is set to 'on' in the ${BOKS_etc}/method.conf file a single '*' will match any host name or IP address.

HOSTSTARMATCHALL=on is the default setting.


Source location:

  • Unchecked source - Some access methods do not check source location. For these, a wild card "*" is typically used. The methods that do not check source location are:
    • WINNETSHARE
    • NETSHARE
    • SSHPKADM
    • SSHPKLIST
  • Terminals - Terminals are the source location for LOGIN, SU, SUEXEC, SWROLE and WINRUNAS access methods.
    • Typically the only terminal that will be known is console for LOGIN and WINLOGIN Access Routes.
    • For UNIX/Linux systems, the terminal specified is the last part of /dev/xxxx. Both FCC and the old GUI allow you to choose from "console", "tty*" and "*". Please note that "tty*" does not match every possible terminal in all Operating Systems.
    • For WINRUNAS routes, the terminal should always be set to wild card '*' as terminals are currently not supported on Windows.
  • Hosts and Host Groups - Hosts and Host Groups are the source location for all other methods.
    • Wild cards can be used for referencing hosts by name or by IP address, but Host Groups must be matched exactly. By default only hosts defined in the BoKS database are matched. This can be overridden with a host matching parameter. Most common is ANY/. Others are defined in the ${BOKS_etc}/method.conf. Thus, * matches any host defined in the database, while ANY/* matches any host whether defined or not.
    • Wild cards can be used to match host names and IP addresses.
    • For the "r" commands, one can specify an option user@ prepended to the host. Although one could use a wild card, it could present security problems. One should either specify the user exactly, or use the $USER variable to match the same user on both source and destination.

Destination location:

  • User - The target user is the destination for SU, SUEXEC and WINRUNAS Access Routes.
    • Wild cards "*" and "?" can be used.
    • For SU, wild cards will not match the root account.
    • An optional @host can be added to limit the hosts on which the route will apply. Wild cards "*" and "?" are allowed.
    • Programs for SUEXEC and WINRUNAS are discussed below.
  • xRole - The target xRole is the destination for SWROLE Access Routes. No wild cards are allowed.
    • There is an additional @host in the Access Route, that is automatically set to "*".
    • These routes are automatically created when an xRole is assigned to a user or User class, and would not be created manually.
  • Hosts and Host Groups - Hosts and Host Groups are the source location for all other methods. Wild cards "*" and "?" are allowed for hostnames and IP addresses but not for Host Groups.
    • All hosts must be in the database, so ANY/* does not have additional meaning. Other host matching parameters UNIX/ and WINBOKS/ can add value.
    • Wild cards can be used to match host names and IP addresses.
    • Netshare routes have an additional parameter of the netshare. No wild cards allowed for the share.

Program definition:

  • Program paths - The target path must be a full path. This means UNIX paths must begin with a "/" character and Windows paths must begin with ":\". If not, it will be assumed to be a Program Group. A leading "!" character will deny access to that program. Wild cards * and ? can be used.
  • * can be used in different components of a path. "/usr/*/less" and "/usr/*/*" will both match "/usr/bin/less".
  • For the WINRUNAS access method, the program path is case insensitive.
  • Program Groups - The target is a Program Group defined in BOKS. These cannot begin with either "/" or ":\", to be able to differentiate between program paths. Wild cards cannot be used to match Program Group names.

Program arguments:

  • Allowed program arguments - These are separated from a program path with exactly one space (" ") character. If specified, these are the only options allowed. Wild cards can be used according to the fnmatch rules. Similar to sudoers syntax.

    • [abc] matches a, b or c
    • [a-z] matches any character in the range a-z
    • [!abc] matches any character but a, b and c
    • [-a] matches - or a
    • [[a] matches [or a
    • []a] matches ] or a
    • * matches zero or more of any characters except within []
    • ? matches any one character except within []


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: August 28, 2019