First Last Prev Next    This bug is not in your last search results.
Bug 1007 - Conflicting Permissions Checks
Conflicting Permissions Checks
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Visudo
1.8.27
All All
: low low
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-05 14:01 MDT by hummdis
Modified: 2021-11-08 09:25 MST (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description hummdis 2021-11-05 14:01:02 MDT 
We have hundreds of servers in which we use Ansible to deploy changes to the Sudoers configuration files.  During this process, we have Ansible validate the Sudoers files syntax and permissions.  The method we use to validate is:

visudo -csf %s

This is as per the Ansible documentation for deploying Sudoers changes.

However, one of our techs recently deployed a change and it failed on some systems, but was not caught by the above method.  I believe I found the cause and it's due to the fact that when specifying the file the permissions are not checked, only when running just "visudo -cs" alone.

For example:

server1:~ # visudo -cs
/etc/sudoers: parsed OK
/etc/sudoers.d/01-ansible: bad permissions, should be mode 0440
/etc/sudoers.d/05-sap: bad permissions, should be mode 0440
/etc/sudoers.d/10-users: bad permissions, should be mode 0440
/etc/sudoers.d/90-cloud: bad permissions, should be mode 0440

However, when specifying the file with "-f":

server1:~ # visudo -csf /etc/sudoers.d/01-ansible-automation
/etc/sudoers.d/01-ansible: parsed OK
server1:~ # 

This is quite concerning because the documentation states that when using "-cs" that it checks the permissions of the file.  It doesn't state that specifying the file to check omits these checks.

This is certainly not the behavior I expected, but if this is normal, why?
Comment 1 Todd C. Miller 2021-11-05 14:07:24 MDT 
This is documented under the description of the -c option:

    If the path to the sudoers file was not specified, visudo will also check the file owner and mode.

This allows "visudo -c" to be used to validate the syntax for uninstalled files, such as those checked in to a revision control system.
Comment 2 hummdis 2021-11-05 14:29:19 MDT 
I certainly missed that one.

Given that some systems break when the permissions are not exactly 0440 (the deployment had set the files in /etc/sudoers.d/ set to 0755), do you have suggestions as to how we can test and validate on a per-file basis since the "visudo -cs" would only work after the files are in-place and thus 'sudo' access is now damaged?
Comment 3 Todd C. Miller 2021-11-05 19:15:46 MDT 
I think what is needed are some extra options, something like --check-perms and --check-owner
Comment 4 Todd C. Miller 2021-11-06 12:38:42 MDT 
The following commit adds -O and -P options to visudo to enable ownership and/or permission checks which can be used with the -c option.

https://www.sudo.ws/repos/sudo/rev/1f20721148b0
Comment 5 hummdis 2021-11-08 09:25:19 MST 
Wow! Thank you!

I honestly didn't expect this, but I appreciate it and will certainly look forward to this being out in all of the repos!  I'm sure it'll make everyone's lives easier.

Thanks, again!

I'll mark 'Resolved' and 'Fixed.'

Cheers!
First Last Prev Next    This bug is not in your last search results.