Thanks for the patch, I will consider it after the trixie release.

What does sudo do if it finds an empty /etc/sudoers.d or a non-existing /etc/sudoers.d but the includedir directive is present? YOu could do me a huge favor by using those tests and documenting the result in this bug. Thanks in advance.

Greetings
Marc

On Fri, Jul 04, 2025 at 11:50:02PM -0500, Daniel Lewart wrote:
Package: src:sudo
Version: 1.9.16p2-3
Severity: normal

Dear Debian Sudo Maintainers,

I think that /etc/sudoers.d/README should be moved back into
/usr/share/doc/sudo/README.Debian for the following reasons:
 1) sudo reads and parses it (does not end in ‘~’ or contain a ‘.’ character)
 2) It is not world-readable (mode 440)
 3) It was created as a workaround for a bug that was later fixed

Here is the timeline for the third point:
 * 2009-04-18  sudo: Implement #includedir directive.
       https://github.com/sudo-project/sudo/commit/3be603aa4
 * 2009-08-31  Debian: there must be at least one file in /etc/sudoers.d with 
permissions 0440,
       https://salsa.debian.org/sudo-team/sudo/-/commit/ae5bc08c
 * 2009-11-21  sudo: Avoid a parse error when #includedir doesn't find any 
files.
       https://github.com/sudo-project/sudo/commit/22e333fc5

Untested patch below (mostly removing trailing spaces).

Thank you!
Daniel Lewart
Urbana, Illinois

diff -ru a/README.Debian b/README.Debian
--- a/README.Debian     2025-06-30 00:55:33.000000000 -0500
+++ b/README.Debian     2025-07-05 00:00:00.000000000 -0500
@@ -1,8 +1,31 @@
+The default /etc/sudoers file created on installation of the
+sudo package now includes the directive:
+
+       @includedir /etc/sudoers.d
+
+This will cause sudo to read and parse any files in the /etc/sudoers.d
+directory that do not end in '~' or contain a '.' character, if it
+exists. It is not an error if the directory does not exist.
+
+Note also, that because sudoers contents can vary widely, no attempt is
+made to add this directive to existing sudoers files on upgrade.  Feel free
+to add the above directive to the end of your /etc/sudoers file to enable
+this functionality for existing installations if you wish!
+Sudo versions older than 1.9.1 will only support the old syntax
+#includedir. That means that the sudo versions in Debian bullseye (11)
+and later will happily accept both @includedir and #includedir.
+
+Finally, please note that using the visudo command is the recommended way
+to update sudoers content, since it protects against many failure modes.
+See the man page for visudo and sudoers for more information.
+
+       - - - - -
+
The version of sudo that ships with Debian by default resets the
environment, as described by the "env_reset" flag in the sudoers file.

This implies that all environment variables are removed, except for
-LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, XAPPLRESDIR,
+LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, XAPPLRESDIR,
XFILESEARCHPATH, XUSERFILESEARCHPATH, LANG, LANGUAGE, LC_*, and USER.

In case you want sudo to preserve more environment variables, you must
@@ -20,7 +43,7 @@

        - - - - -

-If you're using the sudo-ldap package, note that it is now configured to
+If you're using the sudo-ldap package, note that it is now configured to
look for /etc/sudo-ldap.conf.  Depending on your system configuration, it
probably makes sense for this to be a symlink to /etc/ldap.conf, or perhaps
to /etc/libnss-ldap.conf or /etc/pam_ldap.conf.  By default, no symlink or
@@ -37,9 +60,9 @@
        - - - - -

Note that the support for the sss provider (libsss_sudo.so) that allows sudo
-to use SSSD as a cache for policies stored in LDAP is included in the sudo
-package, not in the sudo-ldap package.  I have some hope that this turns out
-to be a better overall solution for using sudo with LDAP, as the sudo-ldap
+to use SSSD as a cache for policies stored in LDAP is included in the sudo
+package, not in the sudo-ldap package.  I have some hope that this turns out
+to be a better overall solution for using sudo with LDAP, as the sudo-ldap
package is difficult to maintain and I'd love to be able to eliminate it!

        - - - - -
@@ -50,7 +73,7 @@
        - - - - -

If you're having trouble grasping the fundamental idea of what sudo is all
-about, here's a succinct and humorous take on it...
+about, here's a succinct and humorous take on it...

        http://www.xkcd.com/c149.html

Only in a/etc/sudoers.d: README

--
-----------------------------------------------------------------------------
Marc Haber         | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany    |  lose things."    Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature |  How to make an American Quilt | Fax: *49 6224 1600421

Reply via email to