From kbrierly at ottime.chicago.il.us Thu Nov 5 16:26:23 2009 From: kbrierly at ottime.chicago.il.us (kbrierly at ottime.chicago.il.us) Date: Thu, 5 Nov 2009 15:26:23 -0600 (CST) Subject: [sudo-workers] Compile/config option to ignore bad includes Message-ID: <65039.170.35.224.64.1257456383.squirrel@ottime.homeip.net> Now that sudo has include support has anyone looked at an option to have sudo just warn or ignore invalid include files instead of causing sudo to fail completely ? I am looking to do automated sudo setup with includedir directives and a file for each group. It would be nice to be able to tell sudo to ignore possibly invalid include files instead of failing completely for all groups. I understand that they should be caught by the syntax checker, but i'd like to not have a bad file impact any other users in the short interval between creating the file and validating it's sytax. Thanks. From rea-sudo at codelabs.ru Sat Nov 7 06:35:33 2009 From: rea-sudo at codelabs.ru (Eygene Ryabinkin) Date: Sat, 7 Nov 2009 14:35:33 +0300 Subject: [sudo-workers] Compile/config option to ignore bad includes In-Reply-To: <65039.170.35.224.64.1257456383.squirrel@ottime.homeip.net> References: <65039.170.35.224.64.1257456383.squirrel@ottime.homeip.net> Message-ID: Thu, Nov 05, 2009 at 03:26:23PM -0600, kbrierly at ottime.chicago.il.us wrote: > Now that sudo has include support has anyone looked at an option to have > sudo just warn or ignore invalid include files instead of causing sudo to > fail completely ? > > I am looking to do automated sudo setup with includedir directives and a > file for each group. It would be nice to be able to tell sudo to ignore > possibly invalid include files instead of failing completely for all > groups. > > I understand that they should be caught by the syntax checker, but i'd > like to not have a bad file impact any other users in the short interval > between creating the file and validating it's sytax. Visudo(8) does all checking, locking and everything else you seem to need. If you'll set VISUAL to some script that will perform all automation you need. Like this: ----- $ cat ed.sh #!/bin/sh echo "aghh lkjasd;flkja lkjsadf" > "$1" $ cat ed1.sh #!/bin/sh echo "# comment" >> "$1" exit $ VISUAL=`pwd`/ed.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file" Bad file $ tail -2 /usr/local/etc/sudoers # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom # %users localhost=/sbin/shutdown -h now $ VISUAL=`pwd`/ed1.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file" $ $ tail -2 /usr/local/etc/sudoers # %users localhost=/sbin/shutdown -h now # comment ----- -- Eygene From jaearick at colby.edu Thu Nov 12 15:43:25 2009 From: jaearick at colby.edu (Jeff A. Earickson) Date: Thu, 12 Nov 2009 15:43:25 -0500 (EST) Subject: [sudo-workers] Microsoft patents sudo??!! Message-ID: Todd, This one just floated past my e-desk: http://www.groklaw.net/article.php?story=20091111094923390 Hunh??? How come Microsoft hasn't tried to patent fire? Jeff Earickson Colby College From Todd.Miller at courtesan.com Thu Nov 12 16:05:01 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Thu, 12 Nov 2009 16:05:01 -0500 Subject: [sudo-workers] Microsoft patents sudo??!! In-Reply-To: Your message of "Thu, 12 Nov 2009 15:43:25 EST." References: Message-ID: <200911122105.nACL51F6016659@core.courtesan.com> I've received a number of questions about US patent 7,617,530 that some people seem to believe might cover sudo. I don't think that is the case. My reading of the patent indicates that it is geared towards GUI-based environments where the user may need to perform some action (such as setting the clock in a control panel) that requires increased privileges. The actual "invention" appears to be that the user is able to perform an action as a different user without having to type in the name of that other user when authenticating. One example given in that patent is the ability to click on a name in a list of privileged users as opposed to having to type in a user name. Sudo simply doesn't work this way. When a command is run via sudo the user is actively running the command as a different user. What is described in the patent is a mechanism whereby an application or the operating system detects that an action needs to be run with increased privileges and automatically prompts the user with a list of potential users that have the appropriate privilege level to perform the task. - todd From kevin at brierly.net Sat Nov 21 03:44:45 2009 From: kevin at brierly.net (Kevin Brierly) Date: Sat, 21 Nov 2009 02:44:45 -0600 Subject: [sudo-workers] Compile/config option to ignore bad includes In-Reply-To: References: <65039.170.35.224.64.1257456383.squirrel@ottime.homeip.net> Message-ID: <4B07A87D.8090004@brierly.net> Eygene Ryabinkin wrote: > Thu, Nov 05, 2009 at 03:26:23PM -0600, kbrierly at ottime.chicago.il.us wrote: > >> Now that sudo has include support has anyone looked at an option to have >> sudo just warn or ignore invalid include files instead of causing sudo to >> fail completely ? >> >> I am looking to do automated sudo setup with includedir directives and a >> file for each group. It would be nice to be able to tell sudo to ignore >> possibly invalid include files instead of failing completely for all >> groups. >> >> I understand that they should be caught by the syntax checker, but i'd >> like to not have a bad file impact any other users in the short interval >> between creating the file and validating it's sytax. >> > > Visudo(8) does all checking, locking and everything else you seem > to need. If you'll set VISUAL to some script that will perform all > automation you need. Like this: > ----- > $ cat ed.sh > #!/bin/sh > > echo "aghh lkjasd;flkja lkjsadf" > "$1" > > $ cat ed1.sh > #!/bin/sh > > echo "# comment" >> "$1" > exit > > $ VISUAL=`pwd`/ed.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file" > Bad file > > $ tail -2 /usr/local/etc/sudoers > # %users ALL=/sbin/mount /cdrom,/sbin/umount /cdrom > # %users localhost=/sbin/shutdown -h now > > $ VISUAL=`pwd`/ed1.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file" > $ > > $ tail -2 /usr/local/etc/sudoers > # %users localhost=/sbin/shutdown -h now > # comment > ----- > Sorry taken so long to respond.... This is not what i'm looking for. There will be a script that will automatically create sudoers entries for users and put them into a sudoers include directory. The script will try to validate the new files as much as possible before they go in, however there's always a chance that somehow a bad file might make it into the include dir. Lets say that bad file somehow makes it in. The second that bad file is out there, as far as i understand, sudo will fail for everyone. Therefore meaning even the SA's won't be able to fix it without the root password and console access. I am just trying to see if there are any plans to add a configuration option to the main sudoers that would allow the option of skipping any include files it deems corrupt/bad and allow the rest of the configuration to continue to work. To me it seems like a very good idea to have that option when dealing with include files/dirs. I'd prefer to inconvenience one user/group rather than everyone if somehow someway a "bad" config makes it out there. From Todd.Miller at courtesan.com Sat Nov 21 10:02:31 2009 From: Todd.Miller at courtesan.com (Todd C. Miller) Date: Sat, 21 Nov 2009 10:02:31 -0500 Subject: [sudo-workers] Compile/config option to ignore bad includes In-Reply-To: Your message of "Sat, 21 Nov 2009 02:44:45 CST." <4B07A87D.8090004@brierly.net> References: <65039.170.35.224.64.1257456383.squirrel@ottime.homeip.net> <4B07A87D.8090004@brierly.net> Message-ID: <200911211502.nALF2Vup008381@core.courtesan.com> Yes, I am considering how to make syntax errors in files included via #includedir be ignored. Doing this correctly probably means changing how includes are processed so an entire included file can be dropped. - todd