|
Bugzilla – Full Text Bug Listing |
| Summary: | visudo -c fails to catch broken includedir command | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | bgriffin |
| Component: | Visudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | high | ||
| Priority: | low | ||
| Version: | 1.8.21 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
The lexer rule for #include and #includedir curently requires a newline at the end or the line will be treated as a comment. This is fixed by the following commit: https://www.sudo.ws/repos/sudo/rev/3d6aa5531609 <INITIAL>^#includedir[[:blank:]]+.*(\r\n|\n)? {
I'm not up on my lex rules, but just from an regexp-sanity point of view, shouldn't that either: not have "(\r\n|\n)?" at all OR include a "$" anchor at the end?
Unfortunately, lex only matches $ if it immediately precedes a newline so that would not help here. The real problem is my choice of #includedir instead of something unambiguous like .includedir. I plan to add support for .include and .includedir in sudo 1.9.0 but it will be a long time before that is available everywhere. This was fixed in sudo 1.9.0. In sudo 1.9.1 these lines are parsed more normally and @include and @includedir are supported as well. |
If #includedir is the last line in /etc/sudoers and /etc/sudoers lacks a final newline, the includedir command is ignored. This is unfortunate, but visudo will be able to verify the file and alert that syntax is incorrect, right? NO, IT DOESN'T. $ diff /etc/sudoers /etc/sudoers.HOLD 30c30 < #includedir /etc/sudoers.d \ No newline at end of file --- > #includedir /etc/sudoers.d $ visudo -c /etc/sudoers: parsed OK $ The only clue that there's an issue, is the contents of /etc/sudoers.d/ are not also tested. My sudo: sudo/bionic-updates,bionic-security,now 1.8.21p2-3ubuntu1.1 amd64 [installed,automatic] Release notes for newer versions do not seem to address this issue.