On Fri, Sep 24, 2021 at 12:35:42PM +0200, Marc Haber wrote: > On Thu, Sep 23, 2021 at 10:56:00PM -0700, Josh Triplett wrote: > > /etc/sudoers.d/README says "all files in this directory should be mode > > 0440". However, sudo does not actually seem to require this, and there's > > no obvious reason why sudoers files *need* to restrict world > > readability or root writability. The default mode of 0644 seems fine, > > and sudo does not complain about sudoers.d files with mode 0644. > > I think this was taken from man sudoers, where upstream writes: > > /etc/sudoers is world writable > The permissions on the sudoers file allow all users to write to it. > The sudoers file must not > be world-writable, the default file mode is 0440 (readable by owner > and group, writable by > none). The default mode may be changed via the “sudoers_mode” option > to the sudoers Plugin > line in the sudo.conf(5) file. > > I think tha Debian should not give advice that contradicts upstream. But > I might be convinced. And, our README says should, not SHOULD in an RFC > sense. It also encourages people to edit sudoers through the provided > scripts, which provide at least a basic syntax check and a rollback > facility to not lock yourself out of your system.
The main reason I brought this up is that lintian complains about sudoers files having an unusual mode. I started to file a lintian bug about accepting a different mode for files in /etc/sudoers.d, but then it occurred to me to wonder if there's any good reason for that mode, and I don't think there is. So instead of filing a request on lintian to allow this, I thought I'd file one on sudo to make it unnecessary. In particular, I don't think there's any security gained by making sudoers files non-world-readable. - Josh Triplett