Bug 875

Summary: Rule order evaluation request
Product: Sudo Reporter: Scott <slfields66>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: ASSIGNED ---    
Severity: enhancement    
Priority: low    
Version: 1.8.21   
Hardware: All   
OS: All   

Description Scott 2019-03-12 10:17:00 MDT 
Unless you are using LDAP based sudoers repository, you have no way (that I can find documented) in limiting the order in evaluation of a command from "sudo" from the relevent sudoers and sudoers.d files command aliases.

We use local files, but they are fairly large and in some cases have fairly large expansion evaluations (wildcards).

This causes the rule evaluation to take up to 15 seconds for some users.

I request that a method exists to specify the evaluation order in the sudoers command aliases.

FYI, I'm also seeing that the evaluation order is different from that reported via 'sudo -l'.
Comment 1 Todd C. Miller 2019-03-12 10:48:53 MDT 
sudoers rules are evaluated in order where the last match wins.  Include files are processed in the order in which they appear in the file.  That is, when an include directive is found, evaluation is suspended until parsing of the included file is completed.  In the case of includedir directives, those are processed in sorted lexical order.

This is all detailed in the "Including other files from within sudoers" section of the sudoers manual page.
Comment 2 Scott 2019-03-12 11:25:41 MDT 
Thanks.

I was hoping to resolve this without complicating the configuration more than it already is (aka, creating more include files than already present, when the issue exists within a single config file).

We'll go this route, then.