Bug 809

Summary: Inconsistent visudo output in check mode: permissions are not checked when a file is provided.
Product: Sudo Reporter: francois.serman
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: low    
Version: 1.8.21   
Hardware: PC   
OS: Linux   

Description francois.serman 2017-12-06 03:51:02 MST 
When using visudo -c to check configuration, it checks every sudoers files, included the one from includedir directive.
This check also includes files permissions.

# visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/90-cloud-init-users: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/nagios: bad permissions, should be mode 0440

When a configuration file is provided (using -f), the permissions are not checked.

# visudo -c -f /etc/sudoers.d/nagios 
/etc/sudoers.d/nagios: parsed OK

Side question: why 0440?


Note: it also holds for sudo since (at least) v1.8.10 but I couldn't select multiple versions.
Comment 1 Todd C. Miller 2017-12-06 10:04:40 MST 
This is by design.  When the owner and permission check was added to "visudo -c" it explicitly excluded the file specified by the -f option to make it possible to check sudoers file that are not installed.

If you want to check an installed sudoers file you should be using "visudo -c" without the -f option.  The reason for this is that the sudoers policy is parsed in its entirety so checking an individual include file doesn't tell you whether or not the entire policy parses.

The reason for the default file mode being 0440 is to make it possible to have sudoers on an NFS share that remaps uid 0 to an unprivileged uid (which is the default for NFS).
Comment 2 Todd C. Miller 2018-01-16 14:00:02 MST 
Documentation fixed in sudo 1.8.22, out now.