0

We use the #include feature in the sudoers file for organizing our sudo rules on a per-application basis.

Our sudoers set up looks kinda like this:

/etc/sudoers
 -> #include /usr/local/etc/sudo/sudoers.master
     -> #include /usr/local/etc/sudo/app1.sudo
     -> #include /usr/local/etc/sudo/app2.sudo
     -> #include /usr/local/etc/sudo/<...etc...>.sudo

/usr/local/etc is a directory we sync across all of our servers.

Sometimes we need host-specific sudo rules, so we put those directly into /etc/sudoers. Everything global goes into those centrally synced files.

When I run visudo to edit the local sudoers, it opens /etc/sudoers in vi without a problem. When I save my changes, I get prompted with:

"/etc/sudoers.tmp" XX lines, XXXX characters 
press return to edit /usr/local/etc/sudo/sudoers.master: 
visudo: can't stat /usr/local/etc/sudo/sudoers.master: Bad file number

And then visudo just exists (exit code 1).

The syntax for the sudoers.master and appX.sudo files all check out.

What is causing visudo to fail to follow through with opening the sudoers.master file that was included via the #include at the end of the base sudoers?

I'm seeing this behavior on AIX, Linux, and Solaris.

As a work-around, is there a way to tell visudo to just not follow any #include directives, and only edit the primary file?

fizzlepapers
  • 305
  • 1
  • 2
  • 10
  • Does `visudo -f /usr/local/etc/sudo/sudoers.master` work OK? This might indicate if this is an issue with that file/directory specifically or the general issue of multiple include files in your environment. – Paul Haldane Apr 28 '15 at 14:59
  • Could it be an `selinux` issue with editing files outside `/etc/`? Anything in the selinux audit log? – Paul Haldane Apr 28 '15 at 15:04
  • Calling `visudo -f /usr/local/etc/sudo/sudoers.master` works fine. It even follows `#include`s to the other sudo files in the same directory with out a problem. I don't think it's an `selinux` issue, as I can repeat the same behavior on AIX and Solaris. (Also, we have selinux disabled.) – fizzlepapers Apr 28 '15 at 16:23
  • So not an issue with handling `#include` files in general or access to `/usr/local/etc/sudo/sudoers.master`. Only thing I can think of is odd characters somewhere around the `#include` statement in `/etc/sudoers` (though I'd expect that to be picked up by syntax check). Have you tried looking for oddities using `:se list` when in `vi`? – Paul Haldane Apr 30 '15 at 12:13

1 Answers1

0

If you use #includedir rather than #include visudo won't try to edit the included files unless they have syntax errors.

Paul Haldane
  • 4,517
  • 1
  • 21
  • 32
  • We had discussed about using `#includedir`, but we opted against it since we felt having a "master" control file for sudoers would give a bit more finer-grained control over how new applications get added in. – fizzlepapers Apr 28 '15 at 14:53