Bug 399

Summary: bad permissions on an file in an includedir breaks sudo
Product: Sudo Reporter: Bdale Garbee <bdale>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.7.2   
Hardware: PC   
OS: Linux   

Description Bdale Garbee 2010-03-11 15:40:44 MST
In my Debian packaging of sudo, I now include the directive

#includedir /etc/sudoers.d

to allow users to create local config fragments without having to modify the stock sudoers file I deliver.

As reported in Debian bug 565552, it appears that if the permissions on a file in that directory are wrong, such as 0644 instead of 0440, that sudo will exit with an error message and not run the requested command.

This makes managing the permissions on files in the includedir highly critical.  Would it make sense, perhaps, to change this behavior so that files with incorrect permissions are skipped with a warning, but the remainder of the sudoers content is processed and the requested command run if the working portions of the config allow it?
Comment 1 Todd C. Miller 2010-03-11 15:51:58 MST
Yes, that sounds reasonable.
Comment 2 Todd C. Miller 2010-06-08 16:55:37 MDT
This will be fixed in sudo 1.7.3.  An actual parse error in the file will still cause sudo to error out, however.  Changing that requires more invasive changes to the parser.
Comment 3 Todd C. Miller 2010-06-18 16:14:55 MDT
Fixed in sudo 1.7.3.  Beta versions are out now, GA is due at the end of June.