Package: sudo Version: 1.9.17p2-1 Severity: serious Tags: security X-Debbugs-Cc: [email protected] X-Debbugs-Cc: [email protected] Control: found -1 1.9.16p2-3
[Filed as RC and a security issue as it can lead to sudoers configuration being implicitly disabled during a bookworm -> trixie upgrade. Please adjust if appropriate.] Hi, While investigating issues with sudo configuration not working as expected on a newly-built trixie machine, I noticed that the output of "sudo -l" included: sudo: unable to open /etc/sudoers.d/10_dsa::util::sudo[dfsg-team-role]: No such file or directory However, the file existed, and had the same permissions as other files in the directory, that were being used as expected. Investigating with strace showed several openat() calls, the first for "10_dsa". I believe this change was caused by https://git.sudo.ws/sudo/commit/?id=f17b35471 - "Support sudoers_file being a colon-separated path of files". Due to the way that includedir directives are processed, this change affects not just literal (lists of) filenames used in sudoers, but also filenames found in the included directory. One might say "who would use colons in filenames", but in any case the filenames were correctly parsed by bookworm's sudo. The error message output by sudo is also misleading, as it was not "/etc/sudoers.d/10_dsa::util::sudo[dfsg-team-role]" which returned ENOENT, but rather "/etc/sudoers.d/10_dsa", which indeed does not exist. Regards, Adam
