Bug 492

Summary: Excessively picky about mode for sudoers.d files; requires 0440
Product: Sudo Reporter: Josh Triplett <josh>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: jhawk
Priority: low    
Version: 1.7.4   
Hardware: All   
OS: All   

Description Josh Triplett 2011-04-20 18:06:38 MDT 
sudo: /etc/sudoers.d/josh-config-sudoers is mode 0644, should be 0440

I prefer to make config files world-readable and root-writable unless they contain secrets in them, and that file certainly doesn't.  I can understand sudo ignoring world-writable files, or group-writable files (at least for group != root), but sudo should not refuse to read a config file just because I've made it world-readable or user-writable.

This bug nearly locked me out of a remote system.  In the process of merging the /etc from an old system into a new system, and copying around configuration files, I ended up with a sudoers file with mode 0644, rather than 0440.  As a result, I could no longer sudo on that system, which meant I couldn't easily fix the permissions.  Fortunately I had a root password set, and I had stored the root password in an encrypted file on my personal system, but if I hadn't I would have lost root access to the system entirely.

I can completely understand sudo refusing to accept sudoers files writable by non-root.  However, sudo should not object to sudoers files *readable* by non-root.  This seems like security by obscurity; knowing what commands users may run does not reduce the security of the system.
Comment 1 John Hawkinson 2012-02-21 16:34:47 MST 
I'd like to +1 this, if I may, for all the reasons Josh supplied.
In many environments I'd like users to be able to determine who the sudoers are.

I suppose that the sudoers file could grant all users the permission to cat the sudoers file, but that is clumsy. I would much rather have this feature go away, or at least a reasonable option to disable it.

Ideally not a build-time option, since it is convenient to used packaged binaries. Thanks.
Comment 2 Todd C. Miller 2012-02-22 16:16:06 MST 
Knowing who has sudoers permissions tells a potential attacker what user accounts to target in order to gain root privileges.  That's why the default sudoers mode is not world-readable.  This is settable at build time with the --with-sudoers-mode configure setting.

I've relaxed the permission checking for sudo 1.8.5 and will keep this bug open until 1.8.5 is released.
Comment 3 John Hawkinson 2012-02-22 16:29:34 MST 
(In reply to comment #2)

Thank you, Todd.

> Knowing who has sudoers permissions tells a potential attacker what
> user accounts to target in order to gain root privileges.

Understood. That's a trade-off that I think is reasonable for sysadmins to make a judgement on, but you are right that it is not without cost.

Incidently, "visudo -c" does not check the modes. That feels...unfortunate, because it makes it easier to lock yourself out of sudo, even if you are careful. IMO that should be something that is very very hard to do. Should a separate bug be filed?

(In fact, I would think that if this feature of mode-checking was retained, that it would be better to simply be extremely noisy about the misconfiguration, but never to lock out legitimate users. But this is a philosophical question).

> This is settable at build time with the --with-sudoers-mode
> configure setting.

I noticed that, but it seems problematic in two ways:
#1 It does not help those who use binary packages, which is just about everbody.
#2 In a shared administrative environment where there are admins (or scripts!) used to sudo's mode 440 requirement, it doesn't seem a huge stretch that someone may attempt to be helpful by resetting the mode to 440 from 444, thus breaking everything.

It would be much better to have a way to get rid of the check entirely.


> I've relaxed the permission checking for sudo 1.8.5 and will keep this
> bug open until 1.8.5 is released.

Great. I would love to see the details on this, but it does not yet appear to be at http://www.sudo.ws/repos/sudo, unless I am missing it.
Comment 4 Todd C. Miller 2012-02-23 15:57:59 MST 
visudo will check the mode in "strict mode", e.g.

# visudo -c -s
/etc/sudoers: parsed OK
/etc/sudoers: bad permissions, should be mode 0440

However, it currently only checks permissions for the main sudoers file and not the included ones.  It's probably reasonable to check permissions by default unless the -f flag was specified.

I hadn't pushed the change to the source repo yet, it's there now:
http://www.sudo.ws/repos/sudo/rev/241174babfcc
Comment 5 Todd C. Miller 2012-05-17 11:29:01 MDT 
Sudo 1.8.5 is less picky about the sudoers file modes.