Disable an #include instruction in sudoers

1

1

Can a sudoers #include instruction be disabled with an additional # character? Or rather just delete the leading # character?

(I wish I would understand what the sudo developers had on their mind when they created an instruction that requires a leading comment character.)

Andy

Posted 2014-08-08T08:47:03.080

Reputation: 11

In general case the rationale may be like this: You invent an optional extension to the format. You design its directives so they are invisible (look like comments) to old/basic parsers that don't support them, but new/"enlightened" parsers benefit. Compare extended M3U or #EXTVLCOPT. I doubt this is the case for sudoers though, this file must be strict. Probably someone mindlessly mimicked #include from C preprocessor, where it's OK because # is not a comment. In sudoers comments start with # and #include is bad design really.

– Kamil Maciorowski – 2019-10-13T08:56:54.970

The first time I analyzed my sudoers file I thought include is a directive and #include is a commented directive. The rule of least surprise violated hard. Also see this answer.

– Kamil Maciorowski – 2019-10-13T09:12:48.163

Answers

2

Yes, a line starting with ##include would be a comment and not an include. See man sudoers.

Dan D.

Posted 2014-08-08T08:47:03.080

Reputation: 5 138

0

Here's a sed command that will disable the directive:

sed -i /etc/sudoers -re 's/^#includedir.*/## **Removed the include directive** ##"/g'

What happens with the above code:

  • The sed command disables the #includedir directive that would allow any files in subdirectories to override the /etc/sudoers file.

Seth Bergman

Posted 2014-08-08T08:47:03.080

Reputation: 23