Bug 941

Summary: Error message for forbidden tokens unclear
Product: Sudo Reporter: gesh
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: mehmetgelisin
Priority: low    
Version: 1.9.3   
Hardware: PC   
OS: Linux   

Description gesh 2020-09-24 10:21:39 MDT 
2f0aca92c360 introduced the CWD and CHROOT directives, making these keywords forbidden in other contexts. Naturally, this breaks configs using these names, with trivial migrations.
However, figuring out that this is the cause of the errors is less than trivial with the error messages given:

/etc/sudoers:40: syntax error, unexpected CHROOT, expecting ALIAS
Cmnd_Alias	CHROOT = /usr/bin/mkarchroot, /usr/bin/arch-nspawn, /usr/bin/makechrootpkg, /usr/bin/extra-x86_64-build
           ^~~~~~
/etc/sudoers:119: syntax error, unexpected '\n', expecting '='
INSTALLERS ALL=INSTALL, UNINSTALL, CHROOT
                                         ^

Moreover, this stolen syntax could have been more prominently signalled in the changelog. At the very least, a message along the lines of "Changes x, y and z changed the syntax of sudoers, when updating please check that your sudoers is up to date with the syntax" would have been helpful. Not masking such a change behind a minor release would also have been helpful. A quick search failed to yield any official versioning policy, something along the lines of SemVer (https://semver.org) might be helpful.
Comment 1 Todd C. Miller 2020-09-24 13:37:30 MDT 
It's unfortunate that adding those created new reserved words in sudoers; I agree they need to be documented.  With the existing sudoers grammar, I don't see a way to resolve the ambiguity in the parser between an alias name and an option name.

The syntax error messages are actually a lot better in 1.9.3 than before.  Previously, sudo would simply have said "parse error near line 40".  It may be possible to improve them further.
Comment 2 Todd C. Miller 2020-09-25 13:54:23 MDT 
I just committed changes to the sudoers parser so that there is a better error message when declaring an alias with the same name as a reserved word.

Now instead of:
    syntax error, unexpected CHROOT, expecting ALIAS

You get:
    syntax error, reserved word used as an alias name

with the offending token underlined in the message.  I've also updated the man page to explicitly list the reserved words and added a warning to the upgrade notes.
Comment 3 Todd C. Miller 2020-11-30 13:24:53 MST 
Fixed in sudo 1.9.4