Bug 1007

Summary: Conflicting Permissions Checks
Product: Sudo Reporter: hummdis
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: low    
Priority: low    
Version: 1.8.27   
Hardware: All   
OS: All   

Description hummdis 2021-11-05 14:01:02 MDT 
We have hundreds of servers in which we use Ansible to deploy changes to the Sudoers configuration files.  During this process, we have Ansible validate the Sudoers files syntax and permissions.  The method we use to validate is:

visudo -csf %s

This is as per the Ansible documentation for deploying Sudoers changes.

However, one of our techs recently deployed a change and it failed on some systems, but was not caught by the above method.  I believe I found the cause and it's due to the fact that when specifying the file the permissions are not checked, only when running just "visudo -cs" alone.

For example:

server1:~ # visudo -cs
/etc/sudoers: parsed OK
/etc/sudoers.d/01-ansible: bad permissions, should be mode 0440
/etc/sudoers.d/05-sap: bad permissions, should be mode 0440
/etc/sudoers.d/10-users: bad permissions, should be mode 0440
/etc/sudoers.d/90-cloud: bad permissions, should be mode 0440

However, when specifying the file with "-f":

server1:~ # visudo -csf /etc/sudoers.d/01-ansible-automation
/etc/sudoers.d/01-ansible: parsed OK
server1:~ # 

This is quite concerning because the documentation states that when using "-cs" that it checks the permissions of the file.  It doesn't state that specifying the file to check omits these checks.

This is certainly not the behavior I expected, but if this is normal, why?
Comment 1 Todd C. Miller 2021-11-05 14:07:24 MDT 
This is documented under the description of the -c option:

    If the path to the sudoers file was not specified, visudo will also check the file owner and mode.

This allows "visudo -c" to be used to validate the syntax for uninstalled files, such as those checked in to a revision control system.
Comment 2 hummdis 2021-11-05 14:29:19 MDT 
I certainly missed that one.

Given that some systems break when the permissions are not exactly 0440 (the deployment had set the files in /etc/sudoers.d/ set to 0755), do you have suggestions as to how we can test and validate on a per-file basis since the "visudo -cs" would only work after the files are in-place and thus 'sudo' access is now damaged?
Comment 3 Todd C. Miller 2021-11-05 19:15:46 MDT 
I think what is needed are some extra options, something like --check-perms and --check-owner
Comment 4 Todd C. Miller 2021-11-06 12:38:42 MDT 
The following commit adds -O and -P options to visudo to enable ownership and/or permission checks which can be used with the -c option.

https://www.sudo.ws/repos/sudo/rev/1f20721148b0
Comment 5 hummdis 2021-11-08 09:25:19 MST 
Wow! Thank you!

I honestly didn't expect this, but I appreciate it and will certainly look forward to this being out in all of the repos!  I'm sure it'll make everyone's lives easier.

Thanks, again!

I'll mark 'Resolved' and 'Fixed.'

Cheers!