Bug 974 – incorrect use of syntax_check() leads to command line verification uncertainity

Bug 974 - incorrect use of syntax_check() leads to command line verification uncertainity


Summary:	incorrect use of syntax_check() leads to command line verification uncertainity

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Visudo
Version:	1.9.6
Hardware:	All All

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2021-04-20 09:17 MDT by Endre Szabo
Modified:	2021-04-20 09:34 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Endre Szabo 2021-04-20 09:17:32 MDT

When things work just fine:

# visudo -sc
/etc/sudoers: parsed OK
/etc/sudoers.d/openvpn: bad permissions, should be mode 0440
/etc/sudoers.d/zfs: parsed OK

When things go bad: (fflag is set)

# visudo -sc -f /etc/sudoers
/etc/sudoers: parsed OK
/etc/sudoers.d/openvpn: parsed OK
/etc/sudoers.d/zfs: parsed OK
# visudo -sc /etc/sudoers
/etc/sudoers: parsed OK
/etc/sudoers.d/openvpn: parsed OK
/etc/sudoers.d/zfs: parsed OK

My guess:

check_syntax() is called with wrong arguments.

check_syntax() function signature is:

check_syntax(const char *file, bool quiet, bool strict, bool oldperms)

how is it called instead:

check_syntax(sudoers_file, quiet, strict, fflag) ? 0 : 1;

note the 'fflag' vs 'oldperms'

Comment 1 Todd C. Miller 2021-04-20 09:23:35 MDT

This is intentional.  The permission check is not performed when the -f option is specified.  The intent of the -f flag is to make it possible to check the syntax of a sudoers file before it is installed.  For example, if sudoers is stored in git or as part of some other configuration management setup.

Comment 2 Endre Szabo 2021-04-20 09:34:26 MDT

Minds blown, thanks for the heads up.