Add -I flag to disable editing include files unless there is an error.

This can be used when you only want to edit a single sudoers file unless there is a pre-existing syntax error.
sudo-project · Oct 4, 2022 · fa952bf · fa952bf
1 parent 575200e
commit fa952bf
Show file tree

Hide file tree

Showing 3 changed files with 52 additions and 6 deletions.
diff --git a/docs/visudo.man.in b/docs/visudo.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "VISUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
+.TH "VISUDO" "@mansectsu@" "October 4, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -30,7 +30,7 @@
 .SH "SYNOPSIS"
 .HP 7n
 \fBvisudo\fR
-[\fB\-chOPqsV\fR]
+[\fB\-chIOPqsV\fR]
 [[\fB\-f\fR]\ \fIsudoers\fR]
 .SH "DESCRIPTION"
 \fBvisudo\fR
@@ -208,6 +208,24 @@ option.
 \fB\-h\fR, \fB\--help\fR
 Display a short help message to the standard output and exit.
 .TP 12n
+\fB\-I\fR, \fB\--no-includes\fR
+Disable the editing of include files unless there is a pre-existing
+syntax error.
+By default,
+\fBvisudo\fR
+will edit the main
+\fIsudoers\fR
+file and any files included via
+\fI@include\fR
+or
+\fI#include\fR
+directives.
+Files included via
+\fI@includedir\fR
+or
+\fI#includedir\fR
+are never edited unless they contain a syntax error.
+.TP 12n
 \fB\-O\fR, \fB\--owner\fR
 Enforce the default ownership (user and group) of the
 \fIsudoers\fR

diff --git a/docs/visudo.mdoc.in b/docs/visudo.mdoc.in
@@ -20,15 +20,15 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd September 13, 2022
+.Dd October 4, 2022
 .Dt VISUDO @mansectsu@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
 .Nm visudo
 .Nd edit the sudoers file
 .Sh SYNOPSIS
 .Nm visudo
-.Op Fl chOPqsV
+.Op Fl chIOPqsV
 .Op Bo Fl f Bc Ar sudoers
 .Sh DESCRIPTION
 .Nm
@@ -203,6 +203,23 @@ path can be specified without using the
 option.
 .It Fl h , -help
 Display a short help message to the standard output and exit.
+.It Fl I , -no-includes
+Disable the editing of include files unless there is a pre-existing
+syntax error.
+By default,
+.Nm
+will edit the main
+.Ar sudoers
+file and any files included via
+.Em @include
+or
+.Em #include
+directives.
+Files included via
+.Em @includedir
+or
+.Em #includedir
+are never edited unless they contain a syntax error.
 .It Fl O , -owner
 Enforce the default ownership (user and group) of the
 .Em sudoers

diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c
@@ -1,7 +1,7 @@
 /*
  * SPDX-License-Identifier: ISC
  *
- * Copyright (c) 1996, 1998-2005, 2007-2018
+ * Copyright (c) 1996, 1998-2005, 2007-2022
  *	Todd C. Miller <[email protected]>
  *
  * Permission to use, copy, modify, and distribute this software for any
@@ -109,13 +109,15 @@ struct sudo_user sudo_user;
 struct passwd *list_pw;
 static struct sudoersfile_list sudoerslist = TAILQ_HEAD_INITIALIZER(sudoerslist);
 static bool checkonly;
+static bool edit_includes = true;
 static unsigned int errors;
-static const char short_opts[] =  "cf:hOPqsVx:";
+static const char short_opts[] =  "cf:hIOPqsVx:";
 static struct option long_opts[] = {
     { "check",		no_argument,		NULL,	'c' },
     { "export",		required_argument,	NULL,	'x' },
     { "file",		required_argument,	NULL,	'f' },
     { "help",		no_argument,		NULL,	'h' },
+    { "no-includes",	no_argument,		NULL,	'I' },
     { "owner",		no_argument,		NULL,	'O' },
     { "perms",		no_argument,		NULL,	'P' },
     { "quiet",		no_argument,		NULL,	'q' },
@@ -192,6 +194,9 @@ main(int argc, char *argv[])
 	    case 'h':
 		help();
 		break;
+	    case 'I':
+		edit_includes = false;
+		break;
 	    case 'O':
 		use_owner = true;	/* check/set owner */
 		break;
@@ -1087,6 +1092,11 @@ open_sudoers(const char *path, bool doedit, bool *keepopen)
 	    break;
     }
     if (entry == NULL) {
+	if (doedit && !edit_includes) {
+	    /* Only edit the main sudoers file. */
+	    if (strcmp(path, sudoers_file) != 0)
+		doedit = false;
+	}
 	if ((entry = new_sudoers(path, doedit)) == NULL)
 	    debug_return_ptr(NULL);
 	if ((fp = fdopen(entry->fd, "r")) == NULL)
@@ -1233,6 +1243,7 @@ help(void)
 	"  -c, --check              check-only mode\n"
 	"  -f, --file=sudoers       specify sudoers file location\n"
 	"  -h, --help               display help message and exit\n"
+	"  -I, --no-includes        do not edit include files\n"
 	"  -q, --quiet              less verbose (quiet) syntax error messages\n"
 	"  -s, --strict             strict syntax checking\n"
 	"  -V, --version            display version information and exit\n"));