| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 0005017 | CentOS-5 | sudo | public | 2011-07-28 09:35 | 2013-07-22 14:06 | ||||||||
| Reporter | kspickard | ||||||||||||
| Priority | normal | Severity | minor | Reproducibility | always | ||||||||
| Status | new | Resolution | open | ||||||||||
| Product Version | 5.5 | ||||||||||||
| Target Version | Fixed in Version | ||||||||||||
| Summary | 0005017: The #includedir directive in sudoers does not work | ||||||||||||
| Description | As described in sudoers(5), the directive: #includedir /foo/bar.d should cause all files not ending in ~ or . within the /foo/bar.d directory to be included as a part of the sudoers configuration. This doesn't appear to work in sudo-1.7.2p1-9.el5_5. I've verified this is not a result of a syntax error in any included file, at least not according to: visudo -c -f /foo/bar.d/<file> I've tried different permissions for the /foo/bar.d directory, as well as the contained files, to no avail. Finally, if I use the directive: #include /foo/bar.d/<file> the configuration in /foo/bar.d/<file> is included as expected. I have not tried to reproduce this behavior in any other release -- either of CentOS or sudo. | ||||||||||||
| Additional Information | To reproduce: useradd sudotest echo sudotest | passwd --stdin sudotest mkdir -p /etc/sudoers.d chmod 0550 /etc/sudoers.d Using the command: visudo -f /etc/sudoers.d/sudoers.local add the following, and save, quit: sudotest ALL=(root) ALL Using the command: visudo add the following, and save, quit: #includedir /etc/sudoers.d To test: sudo -U sudotest -l You should receive an indication that 'sudotest' has no sudo commands allowed. su - sudotest sudo -l You should receive a negative response, "Sorry, user sudotest may not run sudo on ...". | ||||||||||||
| Tags | No tags attached. | ||||||||||||
| Attached Files |
| ||||||||||||
 Relationships |
||||||
|
||||||
 Relationships |
| Notes |
|
|
mfalb (reporter) 2012-06-04 09:27 |
I am running 5.8 and the manpage says: sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character ... I understand that you named your file /etc/sudoers.d/sudoers.local and according to above manpage snippet it is expected to be skipped. I just verified that #includedir is working in 5.8 |
|
ahmahmahm (reporter) 2012-10-29 10:54 |
Fixed by Red Hat in RHEL 5.5 onwards - see http://rhn.redhat.com/errata/RHBA-2010-0212.html - and therefore in CentOS 5.5 onwards. |
|
mfalb (reporter) 2012-10-29 11:30 |
yes, but this bug was filed against 5.5 This bug is a result of wrong usage IMO. |
|
zapman449 (reporter) 2013-07-22 14:06 |
FWIW, this 'issue' is present in CentOS 6.3 and 6.4 as well. This should be fixed in the sudo project itself however... particularly in light of the semi-common user name pattern of 'first.last'. A better pattern might be "ignore files STARTING with '.'", or force a filename to match "*.sudo" or some such. |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2011-07-28 09:35 | kspickard | New Issue | |
| 2011-07-29 19:44 | kbsingh@karan.org | Relationship added | has duplicate 0005018 |
| 2012-06-04 09:27 | mfalb | Note Added: 0015212 | |
| 2012-10-29 10:54 | ahmahmahm | Note Added: 0015988 | |
| 2012-10-29 11:30 | mfalb | Note Added: 0015989 | |
| 2013-07-22 14:06 | zapman449 | Note Added: 0017710 | |
| Issue History |
