Bug 618 – Ignore drop-in sudoer files with syntax errors rather than breaking everything

Bug 618 - Ignore drop-in sudoer files with syntax errors rather than breaking everything


Summary:	Ignore drop-in sudoer files with syntax errors rather than breaking everything

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudoers
Version:	1.8.7
Hardware:	PC All

Importance:	low enhancement
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-10-28 13:07 MDT by bugzilla
Modified:	2020-09-21 08:33 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description bugzilla 2013-10-28 13:07:41 MDT

Installing a drop-in file with a syntax error to /etc/sudoers.d causes all sudo functionality to break. It might be better to just print out a warning message and ignore any drop-in file that has a syntax error.

Comment 1 Todd C. Miller 2013-11-11 15:37:03 MST

To do this safely the sudoers.d data would have to be journaled instead of applied as the file is read.  If the file parsed OK the journal would then be replayed.  That way the sudoers.d file is either applied completely or not at all.

Comment 2 Todd C. Miller 2020-09-21 08:33:41 MDT

Sudo 1.9.3 will now recover from syntax errors, ignoring the line with the error.