Your message dated Wed, 31 Dec 2025 10:19:55 +0000
with message-id <[email protected]>
and subject line Bug#1108772: fixed in sudo 1.9.17p2-1exp1
has caused the Debian Bug report #1108772,
regarding /etc/sudoers.d/README should be moved back into README.Debian
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108772: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108772
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: src:sudo
Version: 1.9.16p2-3
Severity: normal
Dear Debian Sudo Maintainers,
I think that /etc/sudoers.d/README should be moved back into
/usr/share/doc/sudo/README.Debian for the following reasons:
1) sudo reads and parses it (does not end in ‘~’ or contain a ‘.’ character)
2) It is not world-readable (mode 440)
3) It was created as a workaround for a bug that was later fixed
Here is the timeline for the third point:
* 2009-04-18 sudo: Implement #includedir directive.
https://github.com/sudo-project/sudo/commit/3be603aa4
* 2009-08-31 Debian: there must be at least one file in /etc/sudoers.d with
permissions 0440,
https://salsa.debian.org/sudo-team/sudo/-/commit/ae5bc08c
* 2009-11-21 sudo: Avoid a parse error when #includedir doesn't find any
files.
https://github.com/sudo-project/sudo/commit/22e333fc5
Untested patch below (mostly removing trailing spaces).
Thank you!
Daniel Lewart
Urbana, Illinois
diff -ru a/README.Debian b/README.Debian
--- a/README.Debian 2025-06-30 00:55:33.000000000 -0500
+++ b/README.Debian 2025-07-05 00:00:00.000000000 -0500
@@ -1,8 +1,31 @@
+The default /etc/sudoers file created on installation of the
+sudo package now includes the directive:
+
+ @includedir /etc/sudoers.d
+
+This will cause sudo to read and parse any files in the /etc/sudoers.d
+directory that do not end in '~' or contain a '.' character, if it
+exists. It is not an error if the directory does not exist.
+
+Note also, that because sudoers contents can vary widely, no attempt is
+made to add this directive to existing sudoers files on upgrade. Feel free
+to add the above directive to the end of your /etc/sudoers file to enable
+this functionality for existing installations if you wish!
+Sudo versions older than 1.9.1 will only support the old syntax
+#includedir. That means that the sudo versions in Debian bullseye (11)
+and later will happily accept both @includedir and #includedir.
+
+Finally, please note that using the visudo command is the recommended way
+to update sudoers content, since it protects against many failure modes.
+See the man page for visudo and sudoers for more information.
+
+ - - - - -
+
The version of sudo that ships with Debian by default resets the
environment, as described by the "env_reset" flag in the sudoers file.
This implies that all environment variables are removed, except for
-LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, XAPPLRESDIR,
+LOGNAME, PATH, SHELL, TERM, DISPLAY, XAUTHORITY, XAUTHORIZATION, XAPPLRESDIR,
XFILESEARCHPATH, XUSERFILESEARCHPATH, LANG, LANGUAGE, LC_*, and USER.
In case you want sudo to preserve more environment variables, you must
@@ -20,7 +43,7 @@
- - - - -
-If you're using the sudo-ldap package, note that it is now configured to
+If you're using the sudo-ldap package, note that it is now configured to
look for /etc/sudo-ldap.conf. Depending on your system configuration, it
probably makes sense for this to be a symlink to /etc/ldap.conf, or perhaps
to /etc/libnss-ldap.conf or /etc/pam_ldap.conf. By default, no symlink or
@@ -37,9 +60,9 @@
- - - - -
Note that the support for the sss provider (libsss_sudo.so) that allows sudo
-to use SSSD as a cache for policies stored in LDAP is included in the sudo
-package, not in the sudo-ldap package. I have some hope that this turns out
-to be a better overall solution for using sudo with LDAP, as the sudo-ldap
+to use SSSD as a cache for policies stored in LDAP is included in the sudo
+package, not in the sudo-ldap package. I have some hope that this turns out
+to be a better overall solution for using sudo with LDAP, as the sudo-ldap
package is difficult to maintain and I'd love to be able to eliminate it!
- - - - -
@@ -50,7 +73,7 @@
- - - - -
If you're having trouble grasping the fundamental idea of what sudo is all
-about, here's a succinct and humorous take on it...
+about, here's a succinct and humorous take on it...
http://www.xkcd.com/c149.html
Only in a/etc/sudoers.d: README
--- End Message ---
--- Begin Message ---
Source: sudo
Source-Version: 1.9.17p2-1exp1
Done: Marc Haber <[email protected]>
We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Marc Haber <[email protected]> (supplier of updated sudo package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 31 Dec 2025 08:37:25 +0100
Source: sudo
Architecture: source
Version: 1.9.17p2-1exp1
Distribution: experimental
Urgency: medium
Maintainer: Debian Sudo Maintainers <[email protected]>
Changed-By: Marc Haber <[email protected]>
Closes: 1108772
Changes:
sudo (1.9.17p2-1exp1) experimental; urgency=medium
.
[ Marc Haber ]
* remove sudo-ldap.maintscript
* remove sudo-ldap and libnss-sudo
.
[ Alexander Reichle-Schmehl ]
* Add myself to uploaders
.
[ Daniel Lewart ]
* Move /etc/sudoers.d/README to top of README.Debian (Closes: #1108772)
Checksums-Sha1:
6da3f1e9eb40997ab2c706181362c77ae0886076 2480 sudo_1.9.17p2-1exp1.dsc
e0233ec6e4a0edc2cf5b3439f2972e4dcf5d474c 49376
sudo_1.9.17p2-1exp1.debian.tar.xz
4bcce0a01ceaa4aebac42a37b164bb64a7d12214 5598
sudo_1.9.17p2-1exp1_source.buildinfo
Checksums-Sha256:
9c7ad127176398044e8823218c8683f87dd5086eab367b4d754da4a6692713ba 2480
sudo_1.9.17p2-1exp1.dsc
7b1faee035adb84a7f7f3c67963496b8982f8fa0718e4c648c9c294db2f42598 49376
sudo_1.9.17p2-1exp1.debian.tar.xz
ed8e9185a5a92e0023538a97187c4b6c1089d8067c1a75a59cb62aef3aef6727 5598
sudo_1.9.17p2-1exp1_source.buildinfo
Files:
c73d22f33916b9f50f96ba8c2d6a2f24 2480 admin optional sudo_1.9.17p2-1exp1.dsc
8f9670ce241d61487d4992794873995d 49376 admin optional
sudo_1.9.17p2-1exp1.debian.tar.xz
17be3bbbf4b27e52f937f52fd22d3ceb 5598 admin optional
sudo_1.9.17p2-1exp1_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEE6QL5UJ/L0pcuNEbjj3cgEwEyBEIFAmlU80EACgkQj3cgEwEy
BEKj8g/8D9G2ZMABEWRskm5ho3MKfbzNKeKR58Vz+ATtNCPIAr/wTwgmRvHvfr2K
M4iotC1rAwoTnQz6nyTZUpFq4TSseeedZ2c3l1DltXOBIbPb5Pg883VeNuFeGu/x
cHbB1kx0/gGTplZ05U1KsRHhLq0UoyOOiK/DqgqUfXXhBMtdSYuBCGtZFyuzEc4N
OR/K+qn26FSTktHxytZ1Y4b1bgYYuoc3J9tTVriGktJcs7xYyV88NvuPLaplX4vU
iYbAk1jr0NpotkHVD/FYG+1RdbmebDe9Fl3k7oh1IcBxFHvh05KxZco0HTV4KR4y
Z1r5PDEORd2QSOpaZ0Xskzt21aIfcSVfj3Gj6pcuedk+NIdstHLbdPvfQxo2D0ik
iUFkDLLgExrZ7WuYpPgYlvQkspMiegdX9wNtXLaWryo0iDTuZSBx4ooD09zneuhL
dbQEUMl82hUDFMCi+khpsMh+lzybgahJsnmVI9Twue95l8zRUQKlJMtI11NiVY8D
kj7McaHOIUdvSKK9J4pWp5vUI4ffsJKhlKrNdpdumxnOWiTmZSslP4HOaLF5+v50
bF5dx0pAWfWdpJv957fKwXs5re0IkAHeDE+QW3zffohPaMnP5FDtvaHQEBw72K1T
ljColCaems0tZkhN2gzgcu6hz8WgUNbQGgv9B7i+0i4XvgEnBdk=
=8x/I
-----END PGP SIGNATURE-----
pgpNmhccpZHuf.pgp
Description: PGP signature
--- End Message ---
