2017-08-23 02:10 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005017CentOS-5sudopublic2013-07-22 14:06
Reporterkspickard 
PrioritynormalSeverityminorReproducibilityalways
StatusnewResolutionopen 
Product Version5.5 
Target VersionFixed in Version 
Summary0005017: The #includedir directive in sudoers does not work
DescriptionAs described in sudoers(5), the directive:

#includedir /foo/bar.d

should cause all files not ending in ~ or . within the /foo/bar.d directory to be included as a part of the sudoers configuration. This doesn't appear to work in sudo-1.7.2p1-9.el5_5. I've verified this is not a result of a syntax error in any included file, at least not according to:

visudo -c -f /foo/bar.d/<file>

I've tried different permissions for the /foo/bar.d directory, as well as the contained files, to no avail. Finally, if I use the directive:

#include /foo/bar.d/<file>

the configuration in /foo/bar.d/<file> is included as expected.

I have not tried to reproduce this behavior in any other release -- either of CentOS or sudo.
Additional InformationTo reproduce:

useradd sudotest
echo sudotest | passwd --stdin sudotest

mkdir -p /etc/sudoers.d
chmod 0550 /etc/sudoers.d

Using the command:

visudo -f /etc/sudoers.d/sudoers.local

add the following, and save, quit:

sudotest ALL=(root) ALL

Using the command:

visudo

add the following, and save, quit:

#includedir /etc/sudoers.d

To test:

sudo -U sudotest -l

You should receive an indication that 'sudotest' has no sudo commands allowed.

su - sudotest
sudo -l

You should receive a negative response, "Sorry, user sudotest may not run sudo on ...".
TagsNo tags attached.
Attached Files

-Relationships
has duplicate 0005018closedkbsingh@karan.org The #includedir directive in sudoers does not work 
+Relationships

-Notes

~0015212

mfalb (reporter)

I am running 5.8 and the manpage says:

sudo will read each file in /etc/sudoers.d, skipping file names that
end in ~ or contain a . character ...

I understand that you named your file /etc/sudoers.d/sudoers.local and according to above manpage snippet it is expected to be skipped.

I just verified that #includedir is working in 5.8

~0015988

ahmahmahm (reporter)

Fixed by Red Hat in RHEL 5.5 onwards - see http://rhn.redhat.com/errata/RHBA-2010-0212.html - and therefore in CentOS 5.5 onwards.

~0015989

mfalb (reporter)

yes, but this bug was filed against 5.5
This bug is a result of wrong usage IMO.

~0017710

zapman449 (reporter)

FWIW, this 'issue' is present in CentOS 6.3 and 6.4 as well.

This should be fixed in the sudo project itself however... particularly in light of the semi-common user name pattern of 'first.last'.

A better pattern might be "ignore files STARTING with '.'", or force a filename to match "*.sudo" or some such.
+Notes

-Issue History
Date Modified Username Field Change
2011-07-28 09:35 kspickard New Issue
2011-07-29 19:44 kbsingh@karan.org Relationship added has duplicate 0005018
2012-06-04 09:27 mfalb Note Added: 0015212
2012-10-29 10:54 ahmahmahm Note Added: 0015988
2012-10-29 11:30 mfalb Note Added: 0015989
2013-07-22 14:06 zapman449 Note Added: 0017710
+Issue History