[PC-BSD Testing] updating pkg blows away sudoers

Kris Moore kris at pcbsd.org
Wed Oct 23 08:24:02 PDT 2013


On 10/23/2013 10:37, Gour wrote:
> On Wed, 23 Oct 2013 12:48:22 +0200
> Lars Engels <lars.engels at 0x20.net> wrote:
>
>> I think the proper solution to this is to encourage users to add their
>> own sudoers files in /usr/local/etc/sudoers.d/, so
>> /usr/local/etc/sudoers can be overwritten in an update.
> Any filename in the above directory will do?
>
>
> Sincerely,
> Gour
>

Good catch Lars, I've put a notice at the top of our default
/usr/local/etc/sudoers
file that customizations to it will be overwritten, and to use the
/usr/local/etc/sudoers.d/
directory instead.

For reference from the sudoers manpage:

-------

     The #includedir directive can be used to create a sudo.d directory that
     the system package manager can drop sudoers rules into as part of
package
     installation.  For example, given:

         #includedir /usr/localetc/sudoers.d

     sudo will read each file in /etc/sudoers.d, skipping file names
that end
     in `~' or contain a `.' character to avoid causing problems with
package
     manager or editor temporary/backup files.  Files are parsed in sorted
     lexical order.  That is, /etc/sudoers.d/01_first will be parsed before
     /etc/sudoers.d/10_second.  Be aware that because the sorting is
lexical,
     not numeric, /etc/sudoers.d/1_whoops would be loaded after
     /etc/sudoers.d/10_second.  Using a consistent number of leading
zeroes in
     the file names can be used to avoid such problems.

     Note that unlike files included via #include, visudo will not edit the
     files in a #includedir directory unless one of them contains a syntax
     error.  It is still possible to run visudo with the -f flag to edit the
     files directly.



-- 
Kris Moore
PC-BSD Software
iXsystems



More information about the Testing mailing list