On Thu, Sep 23, 2021 at 10:56:00PM -0700, Josh Triplett wrote:
> /etc/sudoers.d/README says "all files in this directory should be mode
> 0440". However, sudo does not actually seem to require this, and there's
> no obvious reason why sudoers files *need* to restrict world
> readability or root writability. The default mode of 0644 seems fine,
> and sudo does not complain about sudoers.d files with mode 0644.
I think this was taken from man sudoers, where upstream writes:
/etc/sudoers is world writable
The permissions on the sudoers file allow all users to write to it. The
sudoers file must not
be world-writable, the default file mode is 0440 (readable by owner and
group, writable by
none). The default mode may be changed via the “sudoers_mode” option to
the sudoers Plugin
line in the sudo.conf(5) file.
I think tha Debian should not give advice that contradicts upstream. But
I might be convinced. And, our README says should, not SHOULD in an RFC
sense. It also encourages people to edit sudoers through the provided
scripts, which provide at least a basic syntax check and a rollback
facility to not lock yourself out of your system.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
