Bug 399 – bad permissions on an file in an includedir breaks sudo

Bug 399 - bad permissions on an file in an includedir breaks sudo


Summary:	bad permissions on an file in an includedir breaks sudo

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.2
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2010-03-11 15:40 MST by Bdale Garbee
Modified:	2010-06-18 16:14 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bdale Garbee 2010-03-11 15:40:44 MST

In my Debian packaging of sudo, I now include the directive

#includedir /etc/sudoers.d

to allow users to create local config fragments without having to modify the stock sudoers file I deliver.

As reported in Debian bug 565552, it appears that if the permissions on a file in that directory are wrong, such as 0644 instead of 0440, that sudo will exit with an error message and not run the requested command.

This makes managing the permissions on files in the includedir highly critical.  Would it make sense, perhaps, to change this behavior so that files with incorrect permissions are skipped with a warning, but the remainder of the sudoers content is processed and the requested command run if the working portions of the config allow it?

Comment 1 Todd C. Miller 2010-03-11 15:51:58 MST

Yes, that sounds reasonable.

Comment 2 Todd C. Miller 2010-06-08 16:55:37 MDT

This will be fixed in sudo 1.7.3.  An actual parse error in the file will still cause sudo to error out, however.  Changing that requires more invasive changes to the parser.

Comment 3 Todd C. Miller 2010-06-18 16:14:55 MDT

Fixed in sudo 1.7.3.  Beta versions are out now, GA is due at the end of June.