Bug 974

Summary: incorrect use of syntax_check() leads to command line verification uncertainity
Product: Sudo Reporter: Endre Szabo <endre.szabo>
Component: VisudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal CC: endre.szabo
Priority: low    
Version: 1.9.6   
Hardware: All   
OS: All   

Description Endre Szabo 2021-04-20 09:17:32 MDT 
When things work just fine:

# visudo -sc
/etc/sudoers: parsed OK
/etc/sudoers.d/openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/zfs: parsed OK

When things go bad: (fflag is set)

# visudo -sc -f /etc/sudoers
/etc/sudoers: parsed OK
/etc/sudoers.d/openvpn: parsed OK
/etc/sudoers.d/zfs: parsed OK
# visudo -sc /etc/sudoers
/etc/sudoers: parsed OK
/etc/sudoers.d/openvpn: parsed OK
/etc/sudoers.d/zfs: parsed OK

My guess:

check_syntax() is called with wrong arguments.

check_syntax() function signature is:

check_syntax(const char *file, bool quiet, bool strict, bool oldperms)

how is it called instead:

check_syntax(sudoers_file, quiet, strict, fflag) ? 0 : 1;

note the 'fflag' vs 'oldperms'
Comment 1 Todd C. Miller 2021-04-20 09:23:35 MDT 
This is intentional.  The permission check is not performed when the -f option is specified.  The intent of the -f flag is to make it possible to check the syntax of a sudoers file before it is installed.  For example, if sudoers is stored in git or as part of some other configuration management setup.
Comment 2 Endre Szabo 2021-04-20 09:34:26 MDT 
Minds blown, thanks for the heads up.