Bug 264

Summary: visudo doesn't verify permissions of sudoers file
Product: Sudo Reporter: Todd Brandt <tebrandt>
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high    
Priority: normal    
Version: 1.6.8   
Hardware: PC   
OS: Linux   

Description Todd Brandt 2007-09-30 04:39:05 MDT 
Main issue:
The visudo -c -s -f check should ensure that the file which is about to replace sudoers will have no issues whatsoever when accessed by sudo. i.e. any requirements sudo has on /etc/sudoers must be reflected and verified with visudo, this is not the case.

Specific fail case:
sudo will fail if the /etc/sudoers file's permissions are not set to 440, which is potentially disastrous in ubuntu since the root account is locked and the only way to edit /etc/sudoers is through sudo -s. Thus if you make this mistake, you have to rescue the system.

If this is a requirement of the /etc/sudoers file, and if this means that sudo will not run without it, then visudo should detect this issue, but it doesn't. Running "visudo -c -s -f <file>" on a sudoers file that has permissions other than 440 returns no error.
Comment 1 Todd C. Miller 2008-11-09 15:21:11 MST 
visudo in sudo 1.7.0 will check the owner and mode on the sudoers file in -c mode if -s is specified.  The change will be present in sudo 1.7.0rc4 to be released shortly.