Bug 875 – Rule order evaluation request

Bug 875 - Rule order evaluation request


Summary:	Rule order evaluation request

Status:	ASSIGNED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.8.21
Hardware:	All All

Importance:	low enhancement
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2019-03-12 10:17 MDT by Scott
Modified:	2019-03-12 11:25 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Scott 2019-03-12 10:17:00 MDT

Unless you are using LDAP based sudoers repository, you have no way (that I can find documented) in limiting the order in evaluation of a command from "sudo" from the relevent sudoers and sudoers.d files command aliases.

We use local files, but they are fairly large and in some cases have fairly large expansion evaluations (wildcards).

This causes the rule evaluation to take up to 15 seconds for some users.

I request that a method exists to specify the evaluation order in the sudoers command aliases.

FYI, I'm also seeing that the evaluation order is different from that reported via 'sudo -l'.

Comment 1 Todd C. Miller 2019-03-12 10:48:53 MDT

sudoers rules are evaluated in order where the last match wins.  Include files are processed in the order in which they appear in the file.  That is, when an include directive is found, evaluation is suspended until parsing of the included file is completed.  In the case of includedir directives, those are processed in sorted lexical order.

This is all detailed in the "Including other files from within sudoers" section of the sudoers manual page.

Comment 2 Scott 2019-03-12 11:25:41 MDT

Thanks.

I was hoping to resolve this without complicating the configuration more than it already is (aka, creating more include files than already present, when the issue exists within a single config file).

We'll go this route, then.