View Issue Details

IDProjectCategoryView StatusLast Update
0005017CentOS-5sudopublic2013-07-22 14:06
Reporterkspickard 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Product Version5.5 
Target VersionFixed in Version 
Summary0005017: The #includedir directive in sudoers does not work
DescriptionAs described in sudoers(5), the directive:

#includedir /foo/bar.d

should cause all files not ending in ~ or . within the /foo/bar.d directory to be included as a part of the sudoers configuration. This doesn't appear to work in sudo-1.7.2p1-9.el5_5. I've verified this is not a result of a syntax error in any included file, at least not according to:

visudo -c -f /foo/bar.d/<file>

I've tried different permissions for the /foo/bar.d directory, as well as the contained files, to no avail. Finally, if I use the directive:

#include /foo/bar.d/<file>

the configuration in /foo/bar.d/<file> is included as expected.

I have not tried to reproduce this behavior in any other release -- either of CentOS or sudo.
Additional InformationTo reproduce:

useradd sudotest
echo sudotest | passwd --stdin sudotest

mkdir -p /etc/sudoers.d
chmod 0550 /etc/sudoers.d

Using the command:

visudo -f /etc/sudoers.d/sudoers.local

add the following, and save, quit:

sudotest ALL=(root) ALL

Using the command:

visudo

add the following, and save, quit:

#includedir /etc/sudoers.d

To test:

sudo -U sudotest -l

You should receive an indication that 'sudotest' has no sudo commands allowed.

su - sudotest
sudo -l

You should receive a negative response, "Sorry, user sudotest may not run sudo on ...".
TagsNo tags attached.

Relationships

has duplicate 0005018 closedkbsingh@karan.org The #includedir directive in sudoers does not work 

Activities

mfalb

mfalb

2012-06-04 09:27

reporter   ~0015212

I am running 5.8 and the manpage says:

sudo will read each file in /etc/sudoers.d, skipping file names that
end in ~ or contain a . character ...

I understand that you named your file /etc/sudoers.d/sudoers.local and according to above manpage snippet it is expected to be skipped.

I just verified that #includedir is working in 5.8
ahmahmahm

ahmahmahm

2012-10-29 10:54

reporter   ~0015988

Fixed by Red Hat in RHEL 5.5 onwards - see http://rhn.redhat.com/errata/RHBA-2010-0212.html - and therefore in CentOS 5.5 onwards.
mfalb

mfalb

2012-10-29 11:30

reporter   ~0015989

yes, but this bug was filed against 5.5
This bug is a result of wrong usage IMO.
zapman449

zapman449

2013-07-22 14:06

reporter   ~0017710

FWIW, this 'issue' is present in CentOS 6.3 and 6.4 as well.

This should be fixed in the sudo project itself however... particularly in light of the semi-common user name pattern of 'first.last'.

A better pattern might be "ignore files STARTING with '.'", or force a filename to match "*.sudo" or some such.

Issue History

Date Modified Username Field Change
2011-07-28 09:35 kspickard New Issue
2011-07-29 19:44 kbsingh@karan.org Relationship added has duplicate 0005018
2012-06-04 09:27 mfalb Note Added: 0015212
2012-10-29 10:54 ahmahmahm Note Added: 0015988
2012-10-29 11:30 mfalb Note Added: 0015989
2013-07-22 14:06 zapman449 Note Added: 0017710