Bug 775

Summary: Clarify in man page: /sudoers read before /sudoers.d/*
Product: Sudo Reporter: Loren M <mcint>
Component: DocumentationAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: enhancement    
Priority: low    
Version: 1.8.10   
Hardware: All   
OS: Linux   

Description Loren M 2017-02-13 03:00:24 MST 
At present the sudoers man page states that "sudoers.d/*" files are read in lexicographic order, but does not clearly state that "sudoers" is read before files contained in "sudoers.d".

While potentially obvious to some, it's been the subject of a brief argument and some testing to determine behavior. It would be nice to have the section of the man page covering config read-ordering cover the other relevant file.
Comment 1 Todd C. Miller 2017-05-08 13:42:14 MDT 
Actually, the order in which sudoers.d/* files are read depends on where the #includedir directive is placed in /etc/sudoers.  Typically it is at the end but it doesn't need to be.

When /etc/sudoers is opened and parsed, if it encounters a #include or #includedir directive, that file (or group of files for #includedir) is parsed and when the end is reached, the original file continues parsing.
Comment 2 Todd C. Miller 2017-05-08 13:56:04 MDT 
I've attempted to clarity the situation in https://www.sudo.ws/repos/sudo/rev/f68769f15356
Comment 3 Todd C. Miller 2017-05-10 10:35:31 MDT 
The documentation change is present in sudo 1.8.20, available now.