Bug 519

Summary: visudo (strict checking) reports "parse error" even if there is no error
Product: Sudo Reporter: [Pat] <patrice.lutmann>
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.7.5   
Hardware: All   
OS: Linux   
Attachments: patch to visudo to fix bug 519

Description [Pat] 2011-10-26 06:00:36 MDT 
Sample /etc/sudoers:

User_Alias FOO = nobody
FOO ALL=(ALL) NOPASSWD: ALL

And if you run:

# visudo -csf /etc/sudoers
parse error in /etc/sudoers

The bug seems located in check_aliases() during the reverse check.
Comment 1 Todd C. Miller 2011-10-26 11:11:36 MDT 
Created attachment 320 [details]
patch to visudo to fix bug 519

The callers of of alias_remove_recursive() expect it to return 1 on success, 0 on failured but it was returning non-zero on error instead.  The attached patch fixes this.
Comment 2 [Pat] 2011-10-27 08:07:29 MDT 
Hi
Comment 3 [Pat] 2011-10-27 08:19:52 MDT 
Hi

    The patch fixes the mentioned bug.

    But, if you swap the two lines of the sample sudoers files, visudo (strict checking) should complain because the alias is defined after its use.
    In the man page, it is said that "it is not possible to differentiate between an alias and a host name or user name that consists solely of uppercase letters...", but forward and reverse checks should detect such situation if you parse the sudoers from the bottom line.

    What do you think ?

Regards

    [Pat]
Comment 4 Todd C. Miller 2012-03-13 10:00:22 MDT 
It is perfectly OK to use an alias before it is defined in sudo 1.7 and higher.  When sudoers is parsed, the aliases are stored before the rules are evaluated.