Bug 264 – visudo doesn't verify permissions of sudoers file

Bug 264 - visudo doesn't verify permissions of sudoers file


Summary:	visudo doesn't verify permissions of sudoers file

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Visudo
Version:	1.6.8
Hardware:	PC Linux

Importance:	normal high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2007-09-30 04:39 MDT by Todd Brandt
Modified:	2008-11-09 15:21 MST (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Todd Brandt 2007-09-30 04:39:05 MDT

Main issue:
The visudo -c -s -f check should ensure that the file which is about to replace sudoers will have no issues whatsoever when accessed by sudo. i.e. any requirements sudo has on /etc/sudoers must be reflected and verified with visudo, this is not the case.

Specific fail case:
sudo will fail if the /etc/sudoers file's permissions are not set to 440, which is potentially disastrous in ubuntu since the root account is locked and the only way to edit /etc/sudoers is through sudo -s. Thus if you make this mistake, you have to rescue the system.

If this is a requirement of the /etc/sudoers file, and if this means that sudo will not run without it, then visudo should detect this issue, but it doesn't. Running "visudo -c -s -f <file>" on a sudoers file that has permissions other than 440 returns no error.

Comment 1 Todd C. Miller 2008-11-09 15:21:11 MST

visudo in sudo 1.7.0 will check the owner and mode on the sudoers file in -c mode if -s is specified.  The change will be present in sudo 1.7.0rc4 to be released shortly.