Bugzilla – Bug 917
visudo -c fails to catch broken includedir command
Last modified: 2020-06-19 06:12:16 MDT
If #includedir is the last line in /etc/sudoers and /etc/sudoers lacks a final newline, the includedir command is ignored. This is unfortunate, but visudo will be able to verify the file and alert that syntax is incorrect, right? NO, IT DOESN'T. $ diff /etc/sudoers /etc/sudoers.HOLD 30c30 < #includedir /etc/sudoers.d \ No newline at end of file --- > #includedir /etc/sudoers.d $ visudo -c /etc/sudoers: parsed OK $ The only clue that there's an issue, is the contents of /etc/sudoers.d/ are not also tested. My sudo: sudo/bionic-updates,bionic-security,now 1.8.21p2-3ubuntu1.1 amd64 [installed,automatic] Release notes for newer versions do not seem to address this issue.
The lexer rule for #include and #includedir curently requires a newline at the end or the line will be treated as a comment. This is fixed by the following commit: https://www.sudo.ws/repos/sudo/rev/3d6aa5531609
<INITIAL>^#includedir[[:blank:]]+.*(\r\n|\n)? { I'm not up on my lex rules, but just from an regexp-sanity point of view, shouldn't that either: not have "(\r\n|\n)?" at all OR include a "$" anchor at the end?
Unfortunately, lex only matches $ if it immediately precedes a newline so that would not help here. The real problem is my choice of #includedir instead of something unambiguous like .includedir. I plan to add support for .include and .includedir in sudo 1.9.0 but it will be a long time before that is available everywhere.
This was fixed in sudo 1.9.0. In sudo 1.9.1 these lines are parsed more normally and @include and @includedir are supported as well.