millert
commented
1 year ago The problem with this is that visudo has no way of knowing that you are editing a file that will be included via @includedir.
Open jorymil opened 1 year ago
millert
commented
1 year ago The problem with this is that visudo has no way of knowing that you are editing a file that will be included via @includedir.
millert
commented
1 year ago Would it have been useful if "visudo -c" warned about files it was ignoring?
jorymil
commented
1 year ago It certainly would have been useful to have "visudo -c" report on that! Sort of the sudo equivalent of an "apachectl configtest" or similar.
I hear you on the fact that visudo has no way to know whether a file is being included via @includedir. Are there circumstances where one might be editing something not in @includedir? That definitely seems like an edge case.
Ultimately this was a once-in-a-career mistake for me, but if I can help save others some time, it'd be really nice.
millert
commented
1 year ago I just pushed changes to "visudo -c" that may help with this:
# visudo -c
/etc/sudoers.d/foo.bak: ignoring editor backup file
/etc/sudoers.d/README.txt: ignoring file name containing '.'
/etc/sudoers: parsed OKMy concern with warning about editing any file with a '.' in it is that given a sudoers with a line like:
@include /etc/sudoers.%hI don't think visudo should warn for:
# visudo -f /etc/sudoers.myhost
Hi folks,
After banging my head against a sudo issue for a couple of hours, I finally traced it back to... my sudoers.d file having a period in it. Any chance that a check could be added to
visudo -fto warn people if they're editing a file that will be ignored?I may be able to fix this myself, but getting the issue filed so I don't forget about it.