0005017: The #includedir directive in sudoers does not work - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0005017	CentOS-5	sudo	public	2011-07-28 09:35	2019-01-22 17:53

Reporter	kspickard
Priority	normal	Severity	minor	Reproducibility	always
Status	new	Resolution	open
Product Version	5.5
Target Version		Fixed in Version

Summary	0005017: The #includedir directive in sudoers does not work
Description	As described in sudoers(5), the directive: #includedir /foo/bar.d should cause all files not ending in ~ or . within the /foo/bar.d directory to be included as a part of the sudoers configuration. This doesn't appear to work in sudo-1.7.2p1-9.el5_5. I've verified this is not a result of a syntax error in any included file, at least not according to: visudo -c -f /foo/bar.d/<file> I've tried different permissions for the /foo/bar.d directory, as well as the contained files, to no avail. Finally, if I use the directive: #include /foo/bar.d/<file> the configuration in /foo/bar.d/<file> is included as expected. I have not tried to reproduce this behavior in any other release -- either of CentOS or sudo.
Additional Information	To reproduce: useradd sudotest echo sudotest \| passwd --stdin sudotest mkdir -p /etc/sudoers.d chmod 0550 /etc/sudoers.d Using the command: visudo -f /etc/sudoers.d/sudoers.local add the following, and save, quit: sudotest ALL=(root) ALL Using the command: visudo add the following, and save, quit: #includedir /etc/sudoers.d To test: sudo -U sudotest -l You should receive an indication that 'sudotest' has no sudo commands allowed. su - sudotest sudo -l You should receive a negative response, "Sorry, user sudotest may not run sudo on ...".
Tags	No tags attached.

mfalb 2012-06-04 09:27 reporter ~0015212	I am running 5.8 and the manpage says: sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character ... I understand that you named your file /etc/sudoers.d/sudoers.local and according to above manpage snippet it is expected to be skipped. I just verified that #includedir is working in 5.8

ahmahmahm 2012-10-29 10:54 reporter ~0015988	Fixed by Red Hat in RHEL 5.5 onwards - see http://rhn.redhat.com/errata/RHBA-2010-0212.html - and therefore in CentOS 5.5 onwards.

mfalb 2012-10-29 11:30 reporter ~0015989	yes, but this bug was filed against 5.5 This bug is a result of wrong usage IMO.

zapman449 2013-07-22 14:06 reporter ~0017710	FWIW, this 'issue' is present in CentOS 6.3 and 6.4 as well. This should be fixed in the sudo project itself however... particularly in light of the semi-common user name pattern of 'first.last'. A better pattern might be "ignore files STARTING with '.'", or force a filename to match "*.sudo" or some such.

agrezende 2019-01-22 17:53 reporter ~0033659	The issue is present in CentOS 7.3 as well.

Date Modified	Username	Field	Change
2011-07-28 09:35	kspickard	New Issue
2011-07-29 19:44	kbsingh@karan.org	Relationship added	has duplicate 0005018
2012-06-04 09:27	mfalb	Note Added: 0015212
2012-10-29 10:54	ahmahmahm	Note Added: 0015988
2012-10-29 11:30	mfalb	Note Added: 0015989
2013-07-22 14:06	zapman449	Note Added: 0017710
2019-01-22 17:53	agrezende	Note Added: 0033659