Bugzilla – Bug 809
Inconsistent visudo output in check mode: permissions are not checked when a file is provided.
Last modified: 2018-01-16 14:00:02 MST
When using visudo -c to check configuration, it checks every sudoers files, included the one from includedir directive. This check also includes files permissions. # visudo -c /etc/sudoers: parsed OK /etc/sudoers.d/90-cloud-init-users: parsed OK /etc/sudoers.d/README: parsed OK /etc/sudoers.d/nagios: bad permissions, should be mode 0440 When a configuration file is provided (using -f), the permissions are not checked. # visudo -c -f /etc/sudoers.d/nagios /etc/sudoers.d/nagios: parsed OK Side question: why 0440? Note: it also holds for sudo since (at least) v1.8.10 but I couldn't select multiple versions.
This is by design. When the owner and permission check was added to "visudo -c" it explicitly excluded the file specified by the -f option to make it possible to check sudoers file that are not installed. If you want to check an installed sudoers file you should be using "visudo -c" without the -f option. The reason for this is that the sudoers policy is parsed in its entirety so checking an individual include file doesn't tell you whether or not the entire policy parses. The reason for the default file mode being 0440 is to make it possible to have sudoers on an NFS share that remaps uid 0 to an unprivileged uid (which is the default for NFS).
Documentation fixed in sudo 1.8.22, out now.