[sudo-workers] Compile/config option to ignore bad includes

Eygene Ryabinkin rea-sudo at codelabs.ru
Sat Nov 7 06:35:33 EST 2009

Thu, Nov 05, 2009 at 03:26:23PM -0600, kbrierly at ottime.chicago.il.us wrote:
> Now that sudo has include support has anyone looked at an option to have
> sudo just warn or ignore invalid include files instead of causing sudo to
> fail completely ?
> I am looking to do automated sudo setup with includedir directives and a
> file for each group. It would be nice to be able to tell sudo to ignore
> possibly invalid include files instead of failing completely for all
> groups.
> I understand that they should be caught by the syntax checker, but i'd
> like to not have a bad file impact any other users in the short interval
> between creating the file and validating it's sytax.

Visudo(8) does all checking, locking and everything else you seem
to need.  If you'll set VISUAL to some script that will perform all
automation you need.  Like this:
$ cat ed.sh

echo "aghh lkjasd;flkja lkjsadf" > "$1"

$ cat ed1.sh

echo "# comment" >> "$1"

$ VISUAL=`pwd`/ed.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file"
Bad file

$ tail -2 /usr/local/etc/sudoers
# %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
# %users  localhost=/sbin/shutdown -h now

$ VISUAL=`pwd`/ed1.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file"

$ tail -2 /usr/local/etc/sudoers
# %users  localhost=/sbin/shutdown -h now
# comment

More information about the sudo-workers mailing list