[sudo-users] sudo-users Digest, Vol 223, Issue 2

Greg Gerke Greg.Gerke at kyndryl.com
Thu Oct 6 12:34:25 MDT 2022 

Such a thing isn't permitted here on the off chance that somebody, somehow comes along and creates something like a /etc/sudoers.d/cmds_for_miscreants file. In that case, if it were created and chmod/chown were right, the commands would get sucked in always.

So instead there's a series of:

#include /etc/sudoers.d/app_cmds1
#include /etc/sudoers.d/app_cmds2
#include /etc/sudoers.d/app_cmds3
etc, etc

---
http://www.paulgraham.com/makersschedule.html
https://world.hey.com/jorge/aging-programmer-d448bdec


-----Original Message-----
From: sudo-users <sudo-users-bounces at sudo.ws> On Behalf Of Mark Wilson
Sent: Thursday, October 6, 2022 12:21 PM
To: sudo-users at sudo.ws
Subject: [EXTERNAL] Re: [sudo-users] sudo-users Digest, Vol 223, Issue 2

We've always used the "#includedir" option and placed additional sudoers files in the specified directory.  In this way, using "visudo" only opens the main "sudoers" file, and not any additional sudoer files.

The main sudoers file has the following in it, to specify the include directory:
#includedir /etc/sudoers.d

Example of additional files and their location:
/etc/sudoers.d/001_sudo_user_permissions
/etc/sudoers.d/090_sudo_default_customizations

-Mark Wilson
________________________________
From: sudo-users <sudo-users-bounces at sudo.ws> on behalf of sudo-users-request at sudo.ws <sudo-users-request at sudo.ws>
Sent: Wednesday, October 5, 2022 12:00 PM
To: sudo-users at sudo.ws <sudo-users at sudo.ws>
Subject: sudo-users Digest, Vol 223, Issue 2

Send sudo-users mailing list submissions to
        sudo-users at sudo.ws

To subscribe or unsubscribe via the World Wide Web, visit
        https://www.sudo.ws/mailman/listinfo/sudo-users
or, via email, send a message with subject or body 'help' to
        sudo-users-request at sudo.ws

You can reach the person managing the list at
        sudo-users-owner at sudo.ws

When replying, please edit your Subject line so it is more specific than "Re: Contents of sudo-users digest..."


Today's Topics:

   1. Re: visudo but don't open #include files? (Todd C. Miller)
   2. Re: visudo but don't open #include files? (Todd C. Miller)


----------------------------------------------------------------------

Message: 1
Date: Tue, 04 Oct 2022 14:27:42 -0600
From: "Todd C. Miller" <Todd.Miller at millert.dev>
To: Greg Gerke <Greg.Gerke at kyndryl.com>
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Subject: Re: [sudo-users] visudo but don't open #include files?
Message-ID: <61213900e33a54d0 at millert.dev>
Content-Type: text/plain; charset="us-ascii"

On Tue, 04 Oct 2022 13:34:44 -0000, Greg Gerke wrote:

> When I use visudo and go to update /etc/sudoers it always goes and 
> opens each  #include file that I've got. Is there a way to bypass this 
> action? I've got some servers that have upwards of a dozen #include 
> files and there's none of them I'd need to update and just end up doing a :q a dozen times.
>
> I've been trying to use visudo just to make sure I don't fat finger 
> something  in my haste to get in and get out but this action makes me 
> think I should ju st be using a straight "vi /etc/sudoers" and double check before exiting...

There is currently no way to edit a sudoers file without also editing the files it includes.  I could certainly add an option to ignore includes, perhaps something like "visudo -I".

 - todd


------------------------------

Message: 2
Date: Tue, 04 Oct 2022 14:40:19 -0600
From: "Todd C. Miller" <Todd.Miller at millert.dev>
To: Greg Gerke <Greg.Gerke at kyndryl.com>
Cc: "sudo-users at sudo.ws" <sudo-users at sudo.ws>
Subject: Re: [sudo-users] visudo but don't open #include files?
Message-ID: <61213ba8fdb7e3c9 at millert.dev>
Content-Type: text/plain; charset="us-ascii"

On Tue, 04 Oct 2022 14:27:42 -0600, "Todd C. Miller" wrote:

> There is currently no way to edit a sudoers file without also editing 
> the files it includes.  I could certainly add an option to ignore 
> includes, perhaps something like "visudo -I".

What I have in mind is not to actually ignore includes, but to just edit the main file and any include files that have a pre-existing syntax error.

 - todd


------------------------------

Subject: Digest Footer

____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-users  


------------------------------

End of sudo-users Digest, Vol 223, Issue 2
******************************************
____________________________________________________________
sudo-users mailing list <sudo-users at sudo.ws> For list information, options, or to unsubscribe, visit:
https://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list