Parse unknown tags in sudoers file even if we do not know them

Question

Parse unknown tags in sudoers file even if we do not know them

Opened this issue a year ago · 2 comments

I.e. right now we do not support the noexec tag, but that results in this error:

/etc/sudoers:91:29: expected host name
ALL ALL = (ALL:ALL) NOEXEC: /bin/sh, /bin/less

Instead something like 'noexec is an unsupported tag' would be a nicer error message for people jumping over from ogsudo.

Answer 1 · 2023-06-23T19:43:02.000Z

Note: should also add some code in the Def<T> parser so the Xyzzy_Alias syntax warns about attempts to define ambiguous sudoers rules.

Answer 2 · 2023-09-19T15:08:31.000Z

The diagnostic (#760 (comment)) is a good idea

Still there should be an extra flag to explicitly reject the configuration when validating when it contains not-yet-supported options. for example when calling visudo -c with extra --no-unsupported. or we can just make visudo -c --strict include that check, without an extra flag.