diff --git a/docs/visudo.man.in b/docs/visudo.man.in index 6610ada53..d239808af 100644 --- a/docs/visudo.man.in +++ b/docs/visudo.man.in @@ -21,7 +21,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.TH "VISUDO" "@mansectsu@" "September 13, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" +.TH "VISUDO" "@mansectsu@" "October 4, 2022" "Sudo @PACKAGE_VERSION@" "System Manager's Manual" .nh .if n .ad l .SH "NAME" @@ -30,7 +30,7 @@ .SH "SYNOPSIS" .HP 7n \fBvisudo\fR -[\fB\-chOPqsV\fR] +[\fB\-chIOPqsV\fR] [[\fB\-f\fR]\ \fIsudoers\fR] .SH "DESCRIPTION" \fBvisudo\fR @@ -208,6 +208,24 @@ option. \fB\-h\fR, \fB\--help\fR Display a short help message to the standard output and exit. .TP 12n +\fB\-I\fR, \fB\--no-includes\fR +Disable the editing of include files unless there is a pre-existing +syntax error. +By default, +\fBvisudo\fR +will edit the main +\fIsudoers\fR +file and any files included via +\fI@include\fR +or +\fI#include\fR +directives. +Files included via +\fI@includedir\fR +or +\fI#includedir\fR +are never edited unless they contain a syntax error. +.TP 12n \fB\-O\fR, \fB\--owner\fR Enforce the default ownership (user and group) of the \fIsudoers\fR diff --git a/docs/visudo.mdoc.in b/docs/visudo.mdoc.in index fec556c6d..33ebfaa53 100644 --- a/docs/visudo.mdoc.in +++ b/docs/visudo.mdoc.in @@ -20,7 +20,7 @@ .\" Agency (DARPA) and Air Force Research Laboratory, Air Force .\" Materiel Command, USAF, under agreement number F39502-99-1-0512. .\" -.Dd September 13, 2022 +.Dd October 4, 2022 .Dt VISUDO @mansectsu@ .Os Sudo @PACKAGE_VERSION@ .Sh NAME @@ -28,7 +28,7 @@ .Nd edit the sudoers file .Sh SYNOPSIS .Nm visudo -.Op Fl chOPqsV +.Op Fl chIOPqsV .Op Bo Fl f Bc Ar sudoers .Sh DESCRIPTION .Nm @@ -203,6 +203,23 @@ path can be specified without using the option. .It Fl h , -help Display a short help message to the standard output and exit. +.It Fl I , -no-includes +Disable the editing of include files unless there is a pre-existing +syntax error. +By default, +.Nm +will edit the main +.Ar sudoers +file and any files included via +.Em @include +or +.Em #include +directives. +Files included via +.Em @includedir +or +.Em #includedir +are never edited unless they contain a syntax error. .It Fl O , -owner Enforce the default ownership (user and group) of the .Em sudoers diff --git a/plugins/sudoers/visudo.c b/plugins/sudoers/visudo.c index 835dac3ae..734118bac 100644 --- a/plugins/sudoers/visudo.c +++ b/plugins/sudoers/visudo.c @@ -1,7 +1,7 @@ /* * SPDX-License-Identifier: ISC * - * Copyright (c) 1996, 1998-2005, 2007-2018 + * Copyright (c) 1996, 1998-2005, 2007-2022 * Todd C. Miller * * Permission to use, copy, modify, and distribute this software for any @@ -109,13 +109,15 @@ struct sudo_user sudo_user; struct passwd *list_pw; static struct sudoersfile_list sudoerslist = TAILQ_HEAD_INITIALIZER(sudoerslist); static bool checkonly; +static bool edit_includes = true; static unsigned int errors; -static const char short_opts[] = "cf:hOPqsVx:"; +static const char short_opts[] = "cf:hIOPqsVx:"; static struct option long_opts[] = { { "check", no_argument, NULL, 'c' }, { "export", required_argument, NULL, 'x' }, { "file", required_argument, NULL, 'f' }, { "help", no_argument, NULL, 'h' }, + { "no-includes", no_argument, NULL, 'I' }, { "owner", no_argument, NULL, 'O' }, { "perms", no_argument, NULL, 'P' }, { "quiet", no_argument, NULL, 'q' }, @@ -192,6 +194,9 @@ main(int argc, char *argv[]) case 'h': help(); break; + case 'I': + edit_includes = false; + break; case 'O': use_owner = true; /* check/set owner */ break; @@ -1087,6 +1092,11 @@ open_sudoers(const char *path, bool doedit, bool *keepopen) break; } if (entry == NULL) { + if (doedit && !edit_includes) { + /* Only edit the main sudoers file. */ + if (strcmp(path, sudoers_file) != 0) + doedit = false; + } if ((entry = new_sudoers(path, doedit)) == NULL) debug_return_ptr(NULL); if ((fp = fdopen(entry->fd, "r")) == NULL) @@ -1233,6 +1243,7 @@ help(void) " -c, --check check-only mode\n" " -f, --file=sudoers specify sudoers file location\n" " -h, --help display help message and exit\n" + " -I, --no-includes do not edit include files\n" " -q, --quiet less verbose (quiet) syntax error messages\n" " -s, --strict strict syntax checking\n" " -V, --version display version information and exit\n"));