Add filename checking for visudo -f
Opened this issue · 4 comments
Hi folks,
After banging my head against a sudo issue for a couple of hours, I finally traced it back to... my sudoers.d file having a period in it. Any chance that a check could be added to visudo -f
to warn people if they're editing a file that will be ignored?
I may be able to fix this myself, but getting the issue filed so I don't forget about it.
The problem with this is that visudo has no way of knowing that you are editing a file that will be included via @includedir.
Would it have been useful if "visudo -c" warned about files it was ignoring?
It certainly would have been useful to have "visudo -c" report on that! Sort of the sudo equivalent of an "apachectl configtest" or similar.
I hear you on the fact that visudo has no way to know whether a file is being included via @includedir. Are there circumstances where one might be editing something not in @includedir? That definitely seems like an edge case.
Ultimately this was a once-in-a-career mistake for me, but if I can help save others some time, it'd be really nice.
I just pushed changes to "visudo -c" that may help with this:
# visudo -c
/etc/sudoers.d/foo.bak: ignoring editor backup file
/etc/sudoers.d/README.txt: ignoring file name containing '.'
/etc/sudoers: parsed OK
My concern with warning about editing any file with a '.' in it is that given a sudoers with a line like:
@include /etc/sudoers.%h
I don't think visudo should warn for:
# visudo -f /etc/sudoers.myhost