Your message dated Thu, 1 Jan 2026 22:18:04 +0100
with message-id <[email protected]>
and subject line Re: Bug#1124456: sudo: /etc/sudoers.d readability should be
limited, not readable by "others"?
has caused the Debian Bug report #1124456,
regarding sudo: /etc/sudoers.d readability should be limited, not readable by
"others"?
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1124456: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1124456
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sudo
Version: 1.9.16p2-3
Severity: minor
Dear Maintainer,
"lynis audit system" command can return:
- Permissions for directory: /etc/sudoers.d [ WARNING ]
https://unix.stackexchange.com/a/555786
Maybe the permission of this folder can be limitted per the StackExchange post
I have linked?
Inside the folder I have file custom-user-privilege-specification.conf which
also has unexpected permission, but that may be just my custom file. I have
modified its permission to be the same as other files in the directory:
sudo chmod 440 /etc/sudoers.d/custom-user-privilege-specification.conf
After also changing permission per the StackExchange answer, the command:
sudo lynis audit system --tests-from-group authentication
now sees the issue fixed.
-- System Information:
Debian Release: 13.2
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500,
'proposed-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.12.57+deb13-amd64 (SMP w/16 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE,
TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8),
LANGUAGE=en_US:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages sudo depends on:
ii init-system-helpers 1.69~deb13u1
ii libapparmor1 4.1.0-1
ii libaudit1 1:4.0.2-2+b2
ii libc6 2.41-12
ii libpam-modules 1.7.0-5
ii libpam0g 1.7.0-5
ii libselinux1 3.8.1-1
ii libssl3t64 3.5.4-1~deb13u1
ii zlib1g 1:1.3.dfsg+really1.3.1-1+b1
sudo recommends no packages.
sudo suggests no packages.
-- Configuration Files:
/etc/sudoers [Errno 13] Permission denied: '/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Permission denied: '/etc/sudoers.d/README'
-- no debconf information
--- End Message ---
--- Begin Message ---
On Thu, Jan 01, 2026 at 02:39:08PM +0100, user wrote:
Maybe the permission of this folder can be limitted per the StackExchange post
I have linked?
Why? Do you like not being able to use tab completion?
Inside the folder I have file custom-user-privilege-specification.conf which
also has unexpected permission, but that may be just my custom file. I have
modified its permission to be the same as other files in the directory:
sudo chmod 440 /etc/sudoers.d/custom-user-privilege-specification.conf
In a container:
[8/6524]mh@swivel:~ $ sudo debspawn login trixie-buildd-amd64
╔═══════════════════════════════════════╗
║ Login for trixie-buildd-amd64 ║
╚═══════════════════════════════════════╝
░ Spawning container swivel-trixie-buildd-amd64-kr4k on
/var/tmp/debspawn/qpgvx9vg.
░ Press Ctrl-] three times within 1s to kill container; two times followed by r
░ to reboot container; two times followed by p to poweroff container.
root@swivel-trixie-buildd-amd64-kr4k:/srv# ls -al /etc/sudoers*
ls: cannot access '/etc/sudoers*': No such file or directory
root@swivel-trixie-buildd-amd64-kr4k:/srv# apt install vim-tiny sudo
Installing:
sudo vim-tiny
Installing dependencies:
libapparmor1 vim-common
Suggested packages:
indent
Recommended packages:
xxd
Summary:
Upgrading: 0, Installing: 4, Removing: 0, Not Upgrading: 0
Download size: 3327 kB
Space needed: 10.8 MB / 515 GB available
Continue? [Y/n]
Get:1 http://deb.debian.org/debian trixie/main amd64 libapparmor1 amd64 4.1.0-1
[43.7 kB]
Get:2 http://deb.debian.org/debian trixie/main amd64 sudo amd64 1.9.16p2-3
[2087 kB]
Get:3 http://deb.debian.org/debian trixie/main amd64 vim-common all
2:9.1.1230-2 [421 kB]
Get:4 http://deb.debian.org/debian trixie/main amd64 vim-tiny amd64
2:9.1.1230-2 [776 kB]
Fetched 3327 kB in 1s (2729 kB/s)
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend
cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 79, <STDIN>
line 4.)
debconf: falling back to frontend: Readline
Selecting previously unselected package libapparmor1:amd64.
(Reading database ... 12654 files and directories currently installed.)
Preparing to unpack .../libapparmor1_4.1.0-1_amd64.deb ...
Unpacking libapparmor1:amd64 (4.1.0-1) ...
Selecting previously unselected package sudo.
Preparing to unpack .../sudo_1.9.16p2-3_amd64.deb ...
Unpacking sudo (1.9.16p2-3) ...
Selecting previously unselected package vim-common.
Preparing to unpack .../vim-common_2%3a9.1.1230-2_all.deb ...
Unpacking vim-common (2:9.1.1230-2) ...
Selecting previously unselected package vim-tiny.
Preparing to unpack .../vim-tiny_2%3a9.1.1230-2_amd64.deb ...
Unpacking vim-tiny (2:9.1.1230-2) ...
Setting up libapparmor1:amd64 (4.1.0-1) ...
Setting up vim-common (2:9.1.1230-2) ...
Setting up sudo (1.9.16p2-3) ...
invoke-rc.d: could not determine current runlevel
invoke-rc.d: WARNING: No init system and policy-rc.d missing! Defaulting to
block.
Setting up vim-tiny (2:9.1.1230-2) ...
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/editor
(editor) in auto mode
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/ex (ex) in
auto mode
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/rview (rview)
in auto mode
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/vi (vi) in
auto mode
update-alternatives: using /usr/bin/vim.tiny to provide /usr/bin/view (view) in
auto mode
Processing triggers for libc-bin (2.41-12) ...
root@swivel-trixie-buildd-amd64-kr4k:/srv# ls -al /etc/sudoers*
-r--r----- 1 root root 1714 Jun 30 2025 /etc/sudoers
/etc/sudoers.d:
total 4
drwxr-xr-x 1 root root 12 Jan 1 22:14 .
drwxr-xr-x 1 root root 1122 Jan 1 22:14 ..
-r--r----- 1 root root 1068 Jun 30 2025 README
root@swivel-trixie-buildd-amd64-kr4k:/srv# visudo -f /etc/sudoers.d/foo
root@swivel-trixie-buildd-amd64-kr4k:/srv# ls -al /etc/sudoers*
-r--r----- 1 root root 1714 Jun 30 2025 /etc/sudoers
/etc/sudoers.d:
total 8
drwxr-xr-x 1 root root 18 Jan 1 22:14 .
drwxr-xr-x 1 root root 1122 Jan 1 22:14 ..
-r--r----- 1 root root 1068 Jun 30 2025 README
-rw-r----- 1 root root 26 Jan 1 22:14 foo
root@swivel-trixie-buildd-amd64-kr4k:/srv#
Please notice that the files inside /etc/sudoers.d are always for user
and group only as long as you use the recommended way to edit them. If
you use your own methods to edit them, security becomes your problem.
The way things are is the intended way, and it is also compliant with
Debian policy chapter 10.10
This is not a bug, closing.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
--- End Message ---
