Bug 333

Summary: includedir sudoers option
Product: Sudo Reporter: Stepan Koltsov <yozh>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: low    
Version: 1.7.0   
Hardware: PC   
OS: Other   
Attachments: Diff to add #includedir functionality, relative to sudo 1.7.1
Diff to add #includedir functionality, relative to sudo 1.7.1

Description Stepan Koltsov 2009-02-07 08:44:14 MST 
Please, add includedir sudoers file option.

includedir "/etc/sudoers.d"

should include config parts from directory /etc/sudoers.d

We'd like to make users sudoers automatically (for example, by installing debian package mycompany-john-sudoer).
Comment 1 Todd C. Miller 2009-02-08 10:21:40 MST 
When visudo is run, it will edit each file explicitly included with a #include directive in sudoers.  If the includedir feature were to be added, do you think the files in that directory should be automatically edited when visudo is run?
Comment 2 Stepan Koltsov 2009-02-08 10:45:20 MST 
No, visudo should not edit included files (there could be lots of them), however, visudo should print warnings if included files have errors.

Extra note: includedir should ignore files having dots in file name to NOT include files like /etc/sudoers.d/john.dpkg-old or /etc/sudoers.d/.john.swp .
Comment 3 Todd C. Miller 2009-04-18 19:21:40 MDT 
Created attachment 252 [details]
Diff to add #includedir functionality, relative to sudo 1.7.1

Note that this diff is relative to sudo 1.7.1
Comment 4 Todd C. Miller 2009-04-18 19:47:08 MDT 
The content of attachment 252 [details] has been deleted by
    Todd C Miller <Todd.Miller@courtesan.com>
who provided the following reason:

obsolete

The token used to delete this attachment was generated at 2009-04-18 19:40:19 EST5EDT.
Comment 5 Todd C. Miller 2009-04-18 19:49:48 MDT 
Created attachment 253 [details]
Diff to add #includedir functionality, relative to sudo 1.7.1
Comment 6 Stepan Koltsov 2009-04-18 19:51:02 MDT 
#includedir should also ignore files with names starting with dot (like vim .john.swp).

logrotate has tabooext directive, and with tabooext unspecified logrotate excludes files whose names end with .rpmorig, .rpmsave, .dpkg-dist, .dpkg-old, .dpkg-new, .disabled, ,v, .swp, .rpmnew, and ~. Probably this extensions should be excluded in sudo too.
Comment 7 Todd C. Miller 2009-04-18 20:06:38 MDT 
For now I've decided to just ignore files witha dot in them.  I'll think about adding a knob for this though.
Comment 8 Stepan Koltsov 2009-04-18 20:13:56 MDT 
Yes, ignoring files containing dots anywhere in the name is a standard practice.
Comment 9 Todd C. Miller 2009-07-28 13:59:00 MDT 
#includedir was added in sudo 1.7.2