[sudo-workers] Compile/config option to ignore bad includes

Kevin Brierly kevin at brierly.net
Sat Nov 21 03:44:45 EST 2009 

Eygene Ryabinkin wrote:
> Thu, Nov 05, 2009 at 03:26:23PM -0600, kbrierly at ottime.chicago.il.us wrote:
>   
>> Now that sudo has include support has anyone looked at an option to have
>> sudo just warn or ignore invalid include files instead of causing sudo to
>> fail completely ?
>>
>> I am looking to do automated sudo setup with includedir directives and a
>> file for each group. It would be nice to be able to tell sudo to ignore
>> possibly invalid include files instead of failing completely for all
>> groups.
>>
>> I understand that they should be caught by the syntax checker, but i'd
>> like to not have a bad file impact any other users in the short interval
>> between creating the file and validating it's sytax.
>>     
>
> Visudo(8) does all checking, locking and everything else you seem
> to need.  If you'll set VISUAL to some script that will perform all
> automation you need.  Like this:
> -----
> $ cat ed.sh
> #!/bin/sh
>
> echo "aghh lkjasd;flkja lkjsadf" > "$1"
>
> $ cat ed1.sh
> #!/bin/sh
>
> echo "# comment" >> "$1"
> exit
>
> $ VISUAL=`pwd`/ed.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file"
> Bad file
>
> $ tail -2 /usr/local/etc/sudoers
> # %users  ALL=/sbin/mount /cdrom,/sbin/umount /cdrom
> # %users  localhost=/sbin/shutdown -h now
>
> $ VISUAL=`pwd`/ed1.sh visudo < /dev/null 2>&1 | grep -q "What now" && echo "Bad file"
> $
>
> $ tail -2 /usr/local/etc/sudoers
> # %users  localhost=/sbin/shutdown -h now
> # comment
> -----
>   

Sorry taken so long to respond....

This is not what i'm looking for. There will be a script that will 
automatically create sudoers entries for users and put them into a 
sudoers include directory.
The script will try to validate the new files as much as possible before 
they go in, however there's always a chance that somehow a bad file 
might make it into the include dir.
Lets say that bad file somehow makes it in. The second that bad file is 
out there, as far as i understand, sudo will fail for everyone. 
Therefore meaning even the SA's won't be able to fix it without the root 
password and console access.

I am just trying to see if there are any plans to add a configuration 
option to the main sudoers that would allow the option of skipping any 
include files it deems corrupt/bad and allow the rest of the 
configuration to continue to work.
To me it seems like a very good idea to have that option when dealing 
with include files/dirs. I'd prefer to inconvenience one user/group 
rather than everyone if somehow someway a "bad" config makes it out there.

More information about the sudo-workers mailing list