Package: src:sudo
Version: 1.9.16p2-3
Severity: normal
Dear Debian Sudo Maintainers,
I think that /etc/sudoers.d/README should be moved back into
/usr/share/doc/sudo/README.Debian for the following reasons:
1) sudo reads and parses it (does not end in ‘~’ or contain a ‘.’ character)
2) It is not world-readable (mode 440)
3) It was created as a workaround for a bug that was later fixed
Here is the timeline for the third point:
* 2009-04-18 sudo: Implement #includedir directive.
https://github.com/sudo-project/sudo/commit/3be603aa4
* 2009-08-31 Debian: there must be at least one file in /etc/sudoers.d with
permissions 0440,
https://salsa.debian.org/sudo-team/sudo/-/commit/ae5bc08c
* 2009-11-21 sudo: Avoid a parse error when #includedir doesn't find any
files.
https://github.com/sudo-project/sudo/commit/22e333fc5
Untested patch below (mostly removing trailing spaces).
Thank you!
Daniel Lewart
Urbana, Illinois
diff -ru a/README.Debian b/README.Debian
--- a/README.Debian 2025-06-30 00:55:33.000000000 -0500
+++ b/README.Debian 2025-07-05 00:00:00.000000000 -0500
@@ -1,8 +1,31 @@
+The default /etc/sudoers file created on installation of the
+sudo package now includes the directive:
+
+ @includedir /etc/sudoers.d
+
+This will cause sudo to read and parse any files in the /etc/sudoers.d
+directory that do not end in '~' or contain a '.' character, if it
+exists. It is not an error if the directory does not exist.
+
+Note also, that because sudoers contents can vary widely, no attempt is
+made to add this directive to existing sudoers files on upgrade. Feel free
+to add the above directive to the end of your /etc/sudoers file to enable
+this functionality for existing installations if you wish!
+Sudo versions older than 1.9.1 will only support the old syntax
+#includedir. That means that the sudo versions in Debian bullseye (11)
+and later will happily accept both @includedir and #includedir.
+
+Finally, please note that using the visudo command is the recommended way
+to update sudoers content, since it protects against many failure modes.
+See the man page for visudo and sudoers for more information.
+
+ - - - - -
+
The version of sudo that ships with Debian by default resets the
environment, as described by the "env_reset" flag in the sudoers file.
This implies that all environment variables are removed, except for
-LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, XAPPLRESDIR,
+LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, XAPPLRESDIR,
XFILESEARCHPATH, XUSERFILESEARCHPATH, LANG, LANGUAGE, LC_*, and USER.
In case you want sudo to preserve more environment variables, you must
@@ -20,7 +43,7 @@
- - - - -
-If you're using the sudo-ldap package, note that it is now configured to
+If you're using the sudo-ldap package, note that it is now configured to
look for /etc/sudo-ldap.conf. Depending on your system configuration, it
probably makes sense for this to be a symlink to /etc/ldap.conf, or perhaps
to /etc/libnss-ldap.conf or /etc/pam_ldap.conf. By default, no symlink or
@@ -37,9 +60,9 @@
- - - - -
Note that the support for the sss provider (libsss_sudo.so) that allows sudo
-to use SSSD as a cache for policies stored in LDAP is included in the sudo
-package, not in the sudo-ldap package. I have some hope that this turns out
-to be a better overall solution for using sudo with LDAP, as the sudo-ldap
+to use SSSD as a cache for policies stored in LDAP is included in the sudo
+package, not in the sudo-ldap package. I have some hope that this turns out
+to be a better overall solution for using sudo with LDAP, as the sudo-ldap
package is difficult to maintain and I'd love to be able to eliminate it!
- - - - -
@@ -50,7 +73,7 @@
- - - - -
If you're having trouble grasping the fundamental idea of what sudo is all
-about, here's a succinct and humorous take on it...
+about, here's a succinct and humorous take on it...
http://www.xkcd.com/c149.html
Only in a/etc/sudoers.d: README
