Skip to content

Feature request: acls: utilize FNM_EXTMATCH with fnmatch(...) if possible #28

New issue
New issue
Open
Open
Feature request: acls: utilize FNM_EXTMATCH with fnmatch(...) if possible#28
@tim-nordell-nimbelink

Description

@tim-nordell-nimbelink
tim-nordell-nimbelink
opened on Mar 17, 2026

There are several ACLs in luci where folks intend to match multiple characters:

[user@localhost luci]$ git grep ']\*' 'applications/*.json'
applications/luci-app-adblock/root/usr/share/rpcd/acl.d/luci-app-adblock.json:                          "/etc/init.d/adblock report [a-z]* [0-9]* [0-9]* *": [ "exec" ],
applications/luci-app-banip/root/usr/share/rpcd/acl.d/luci-app-banip.json:                              "/etc/init.d/banip search [A-Za-z0-9:.]*": [ "exec" ],
applications/luci-app-banip/root/usr/share/rpcd/acl.d/luci-app-banip.json:                              "/etc/init.d/banip content [A-Za-z0-9]* *": [ "exec" ],
applications/luci-app-minidlna/root/usr/share/rpcd/acl.d/luci-app-minidlna.json:                                "/usr/bin/wget -q http://127.0.0.1:[0-9]*/ -O -": [ "exec" ]
applications/luci-app-tinyproxy/root/usr/share/rpcd/acl.d/luci-app-tinyproxy.json:                              "/usr/bin/wget -q http://127.0.0.1:[0-9]*/ -O -": [ "exec" ],
applications/luci-app-travelmate/root/usr/share/rpcd/acl.d/luci-app-travelmate.json:                            "/etc/init.d/travelmate setup [0-9a-z_]* [0-9a-z_]* [0-9]*" : [ "exec" ],

Unfortunately, since these aren't regular expressions, these are not doing what the authors intended.

If the libraries on the system support it, FNM_EXTMATCH (which is a GNU extension) could be a useful change to rpcd so that luci's ACLs could take advantage of it:

       FNM_EXTMATCH
              If  this flag (a GNU extension) is set, extended patterns are sup‐
              ported, as introduced by 'ksh' and now supported by other  shells.
              The  extended  format is as follows, with pattern-list being a '|'
              separated list of patterns.

       '?(pattern-list)'
              The pattern matches if zero or one occurrences of any of the  pat‐
              terns in the pattern-list match the input string.

       '*(pattern-list)'
              The pattern matches if zero or more occurrences of any of the pat‐
              terns in the pattern-list match the input string.

       '+(pattern-list)'
              The  pattern matches if one or more occurrences of any of the pat‐
              terns in the pattern-list match the input string.

       '@(pattern-list)'
              The pattern matches if exactly one occurrence of any of  the  pat‐
              terns in the pattern-list match the input string.

       '!(pattern-list)'
              The pattern matches if the input string cannot be matched with any
              of the patterns in the pattern-list.

See openwrt/luci#8426.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions