Bug 880

Summary: Catastrophic effect of changed permissions of `/`
Product: Sudo Reporter: René Bertin <rjvbertin>
Component: SudoersAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: high    
Priority: low    
Version: 1.8.9   
Hardware: PC   
OS: Linux   

Description René Bertin 2019-04-24 05:35:51 MDT 
Out of the blue I could no longer use `sudo`, which had started failing with an error about not being able to stat /etc/sudoers .

Nothing was wrong with that file or any of the files in sudoers.d . It took me hours (during which I almost launched a complete restore from a recent backup) before I figured out that a manual install I had done just before had changed ownership and permissions on a number of directories including `/` (making that one exclusive to me).

pkexec continued to work, so I could reboot cleanly (which I'd better not done)...

I fail to see how the permissions change could have affected sudo (and not pkexec) but I am ready to accept that it could be required for utmost security.

However, the error message could and should be more helpful; repairing my mistake could have taken much less time (basically, the time required to remember that I had set a root password). At the very least the issue should be caught by `visodo -c`, and sudo itself could have a repair mode for this which it should be able to run because installed SUID.

It's amazing how helpless you feel when sudo starts failing for no (easily) apparent reason!
Comment 1 Todd C. Miller 2019-07-14 18:53:41 MDT 
Sudo tries to stat (and open) sudoers as a non-zero uid to make it possible to store sudoers on NFS.  However, this will fail if the parent directory of sudoers is not accessible to a non-zero uid.

I just committed the following change to retry as root in this case:
https://www.sudo.ws/repos/sudo/rev/6a50adb25f2e
Comment 2 René Bertin 2019-07-15 02:40:03 MDT 
That sounds like it should do the trick, thanks.

I do not have a test environment around ATM in which I could test (and am not really motivated to change permissions on my `/` right now ;)) but I guess you did.