[sudo-workers] Adding a second sysconfdir

Jason Sikes jsikes at suse.com
Wed Feb 1 01:24:02 MST 2023


I have attached a patch. This is my first draft to add a second configuration directory, an alternate for /etc. Some notes:

1. I have made changes to the configuration files in order to add two parameters.

1.a. “distconfdir” is the directory that is being added that supplements “sysconfdir”. One points to /etc while the other points to /usr/etc.

1.b. “with-distconf” is a boolean that, when added, specifies that sudo should look in two places for configuration files, i.e. sudo should first look in /etc, and if the file is not there then look in /usr/etc.

2. The configuration files that I modified, “configure" and “Makefile.in", will be clobbered by configure.ac and Makefile.am. I still need to make sure that configure.ac and Makefile.am correctly build configure and Makefile.in. I am working with the Autoconf package maintainer here at SUSE so that these autotools changes are correct. I am using sudo to test the changes.

3. Within SUSE we are using “sysconfdir” to point to the system configuration directory, /etc, same as before. We have added “distconfdir” to point to our distribution configuration directory, /usr/etc. Within sudo, because the configuration files are complex and so much depends on sysconfdir, I set sysconfdir to /usr/etc (our distconfdir), and the parameter I added, “distconfdir”, is set to our sysconfdir.

Then the change within sudo works like this:

If file exists in /etc (in distconfdir)
    Use /etc/file
    Use /usr/etc/file (in sysconfdir)

4. I have not yet touched visudo.

5. “Distconfdir” is not a good parameter name. I’m open to suggestions, perhaps “altsysconfdir”?

To reiterate: /usr/etc is intended to be read-only; not even root will be able to write to this directory, and /etc is the directory where root can make system configuration changes.

I would like to ask your opinion of the changes I have made so far.

—Thank you,


> On Dec 15, 2022, at 19:35, Jason Sikes <jsikes at suse.com> wrote:
> Hi All,
> Currently we are working on a distribution of Linux that has the '/usr' directory mounted read-only. A part of this change is to put the configuration files provided by the Linux distribution into the /usr/etc directory.
> The system administrator then can put their configuration files, if needed, into the /etc directory.
> I have patched GNU Autoconf to provide an optional configuration parameter: "distconfdir". This is similar to "sysconfdir" except it is for configuration files provided by the distributor. In our case, the configure option would read "--distconfdir=/usr/etc". The use of "sysconfdir" will remain unchanged.
> What we propose:
> I am working on a patch so that when sudo is configured and built, the build environment will accept the distconfdir parameter. Then during execution, if that parameter exists, sudo will first try to open /etc/sudoers, and if that fails then try to open /usr/etc/sudoers.
> If the distconfdir parameter doesn't exist, then sudo's behavior is unchanged.
> One way that I might implement this is that the variable "sudoers_file" will be assigned whichever file path successfully opens.
> For visudo, we would have it try to read the sudoers file in the same order as above but always write to the /etc directory.
> Do you have thoughts or suggestions about this? I would like to hear your opinions.
> --Thank you,
> --Jason

-------------- next part --------------
A non-text attachment was scrubbed...
Name: sudo-add-distconfdir.patch
Type: application/octet-stream
Size: 22192 bytes
Desc: sudo-add-distconfdir.patch
URL: <http://www.sudo.ws/pipermail/sudo-workers/attachments/20230201/40f694ba/attachment.obj>

More information about the sudo-workers mailing list