|
Bugzilla – Full Text Bug Listing |
| Summary: | Double Cmnd_Alias is not checked in multiple sudoers files | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Alex Ten <sudo.20.bugreport> |
| Component: | Visudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | ASSIGNED --- | ||
| Severity: | normal | ||
| Priority: | low | ||
| Version: | 1.7.6 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
The problem is that those are not really separate files. The files in /etc/sudoers.d are include files that get merged with the main /etc/sudoers so checking them separately is not effective. You need to check the sudoers file in its entirety by running "visudo -c". The way include files are handled is to just divert from the main sudoers file, read the include file, and then resume reading the main sudoers. As such there is no way to just ignore a bad include. It should be possible to change the way includes are parsed to keep more state (or just journal the changes) such that it is possible to roll back to the pre-include state but that's not currently how it works. There is an existing bug, #618 about this. The "no valid sudoers sources found" message refers to the fact that you can have either file-based sudoers or LDAP-based sudoers and if one is invalid, the other may be used. If the documentation doesn't mention that duplicate aliases are not permitted then that needs to be fixed. Thank you for your response. I did miss one point in your reply, why not just take the last Cmnd_Alias with the same name and ignore earlier declarations? It would be more consistent with a user or group being assigned the possibility to execute some commands and a later declaration overriding the earlier statement. As far as I've been able to determine (with a newly installed version 1.8.5p2) running "visudo -c" checks /etc/sudoers and the files in the include dir /etc/sudoers.d/ but that only confirms whether it's already broken or not. As in, the damage is already done in case something went wrong. If a Cmnd_Alias is in the /etc/sudoers file it is still possible to add it to a file in /etc/sudoers.d with visudo -f (but not vice versa!). And if the Cmnd_Alias is in a file in /etc/sudoers.d folder it is also possible to add the same Cmnd_Alias in another file. Running a check with visudo -cf on a file only checks the validity of that single file, not in regards to the main sudoers file and/or the files in the /etc/sudoers.d folder. It doesn't matter wether it that file is in another location on the filesystem or temporarily disabled by putting a dot in the file name and having it present in the /etc/sudoers.d folder. I did a brief search for a bug like it, but the search function didn't return anything with the search terms I used (parts of the error message I got). The next guy/gal will find this report if s/he stumbles over the problem I guess. :-) Are you planning on adding support for more sources? If not then the error message might be more clear as "no valid file- or LDAP-based sources found". regards, Alex |
When a Cmnd_Alias (name) is used more than once, sudo refuses to work at all. For example: :~> sudo -i >>> /etc/sudoers.d/supportteam: Alias `TROUBLESHOOTING_COMMANDS' already defined near line 2 <<< sudo: parse error in /etc/sudoers.d/supportteam near line 2 sudo: no valid sudoers sources found, quitting The Cmnd_Alias was defined in two seprate files inside the /etc/sudoers.d folder, both were saved with visudo, and both were accepted as valid. If the current sudo behaviour is not changed, then visudo should check for duplicate aliases. Other sudo configuration doesn't seem troubled with multiple occurances, for example; a directive that gives a user access to a command without password, followed by one which requires a password, means that the last directive is used. Why not the same behaviour with an alias as well? What puzzles me is that sudo stops all usuage, why not just ignore a specific file in /etc/sudoers.d if it is not valid? Or only use the /etc/sudoers file itself and ignore the /etc/sudoers.d folder and its contents? The error message "no valid sudoers sources found" seems to suggest that multiple sources (files?) are checked and none is valid, while actually only a combination of two are not acceptable and the rest is fine. Maybe I've overlooked it, but I haven't seen any mention in the sudo documentation that the Cmnd_Alias name should be unique. Regards, Alex