Bug#994962: /etc/sudoers.d/README suggests mode 0440 but sudo doesn't require this

0 views
Skip to first unread message

Josh Triplett

unread,
Sep 24, 2021, 2:10:02 AMSep 24
to
Package: sudo
Version: 1.9.5p2-3
Severity: normal
File: /etc/sudoers.d/README
X-Debbugs-Cc: jo...@joshtriplett.org

/etc/sudoers.d/README says "all files in this directory should be mode
0440". However, sudo does not actually seem to require this, and there's
no obvious reason why sudoers files *need* to restrict world
readability or root writability. The default mode of 0644 seems fine,
and sudo does not complain about sudoers.d files with mode 0644.

- Josh Triplett

Marc Haber

unread,
Sep 24, 2021, 6:40:03 AMSep 24
to
On Thu, Sep 23, 2021 at 10:56:00PM -0700, Josh Triplett wrote:
> /etc/sudoers.d/README says "all files in this directory should be mode
> 0440". However, sudo does not actually seem to require this, and there's
> no obvious reason why sudoers files *need* to restrict world
> readability or root writability. The default mode of 0644 seems fine,
> and sudo does not complain about sudoers.d files with mode 0644.

I think this was taken from man sudoers, where upstream writes:

/etc/sudoers is world writable
The permissions on the sudoers file allow all users to write to it. The sudoers file must not
be world-writable, the default file mode is 0440 (readable by owner and group, writable by
none). The default mode may be changed via the “sudoers_mode” option to the sudoers Plugin
line in the sudo.conf(5) file.

I think tha Debian should not give advice that contradicts upstream. But
I might be convinced. And, our README says should, not SHOULD in an RFC
sense. It also encourages people to edit sudoers through the provided
scripts, which provide at least a basic syntax check and a rollback
facility to not lock yourself out of your system.

Greetings
Marc

--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421

Josh Triplett

unread,
Sep 24, 2021, 6:10:02 PMSep 24
to
On Fri, Sep 24, 2021 at 12:35:42PM +0200, Marc Haber wrote:
> On Thu, Sep 23, 2021 at 10:56:00PM -0700, Josh Triplett wrote:
> > /etc/sudoers.d/README says "all files in this directory should be mode
> > 0440". However, sudo does not actually seem to require this, and there's
> > no obvious reason why sudoers files *need* to restrict world
> > readability or root writability. The default mode of 0644 seems fine,
> > and sudo does not complain about sudoers.d files with mode 0644.
>
> I think this was taken from man sudoers, where upstream writes:
>
> /etc/sudoers is world writable
> The permissions on the sudoers file allow all users to write to it. The sudoers file must not
> be world-writable, the default file mode is 0440 (readable by owner and group, writable by
> none). The default mode may be changed via the “sudoers_mode” option to the sudoers Plugin
> line in the sudo.conf(5) file.
>
> I think tha Debian should not give advice that contradicts upstream. But
> I might be convinced. And, our README says should, not SHOULD in an RFC
> sense. It also encourages people to edit sudoers through the provided
> scripts, which provide at least a basic syntax check and a rollback
> facility to not lock yourself out of your system.

The main reason I brought this up is that lintian complains about
sudoers files having an unusual mode. I started to file a lintian bug
about accepting a different mode for files in /etc/sudoers.d, but then
it occurred to me to wonder if there's any good reason for that mode,
and I don't think there is. So instead of filing a request on lintian to
allow this, I thought I'd file one on sudo to make it unnecessary.

In particular, I don't think there's any security gained by making
sudoers files non-world-readable.

- Josh Triplett
Reply all
Reply to author
Forward
0 new messages