[sudo-workers] Adding a second sysconfdir

Jason Sikes jsikes at suse.com
Thu Dec 15 20:35:53 MST 2022

Hi All,

Currently we are working on a distribution of Linux that has the '/usr' 
directory mounted read-only. A part of this change is to put the 
configuration files provided by the Linux distribution into the /usr/etc 

The system administrator then can put their configuration files, if 
needed, into the /etc directory.

I have patched GNU Autoconf to provide an optional configuration 
parameter: "distconfdir". This is similar to "sysconfdir" except it is 
for configuration files provided by the distributor. In our case, the 
configure option would read "--distconfdir=/usr/etc". The use of 
"sysconfdir" will remain unchanged.

What we propose:

I am working on a patch so that when sudo is configured and built, the 
build environment will accept the distconfdir parameter. Then during 
execution, if that parameter exists, sudo will first try to open 
/etc/sudoers, and if that fails then try to open /usr/etc/sudoers.

If the distconfdir parameter doesn't exist, then sudo's behavior is 

One way that I might implement this is that the variable "sudoers_file" 
will be assigned whichever file path successfully opens.

For visudo, we would have it try to read the sudoers file in the same 
order as above but always write to the /etc directory.

Do you have thoughts or suggestions about this? I would like to hear 
your opinions.

--Thank you,


More information about the sudo-workers mailing list