Janin kommentit » Order-dependency/inconsistency in sudoers parameter=value parsing wrt. quotes

Order-dependency/inconsistency in sudoers parameter=value parsing wrt. quotes

15. syyskuuta 2025 klo 17.11
Sijainti: Vianhallintajärjestelmät: Github
Avainsanat: sudo, Ubuntu

Describe the bug
I’m testing sudo-rs, and came across a bit of weirdness in sudoers parsing, related to quotes and parameter order.

To Reproduce

$ touch test
edit /etc/sudoers.d/90-ssh-auth-sock to look like this:
Defaults!/bin/chown timestamp_timeout=1,env_keep+=SSH_AUTH_SOCK
$ sudo-rs chown root:root test # this works as expected
edit /etc/sudoers.d/90-ssh-auth-sock to reorder the parameter=value pairs like this:
Defaults!/bin/chown env_keep+=SSH_AUTH_SOCK,timestamp_timeout=1
$ sudo-rs chown jani:jani test # this fails:
/etc/sudoers.d/90-ssh-auth-sock:1:63: double quotes are required for VAR=value pairs
Defaults!/bin/chown env_keep+=SSH_AUTH_SOCK,timestamp_timeout=1
^

Expected behavior

For sudo-rs to perform the command in 5. without error, as it did in point 3.

Environment (please complete the following information):

Ubuntu 24.04
sudo-rs commit hash: b434d4d (precompiled version 0.2.8 binary from the Github release page)

Additional context
For background, I’m using pam_ssh_agent_auth to authorize my user with SSH keys to run some commands, which requires env_keep+=SSH_AUTH_SOCK.

I also like have it time out immediately, so I additionally set timestamp_timeout=0. I initially thought the issue was caused by the zero, but testing with timestamp_timeout=1 resulted in the same errors, so that’s what I’m using here, for unambiguity.

The caret in the error message points to timestamp_timeout’s value, so I’d assume the logical solution is to quote that value, like this:

Defaults!/bin/chown env_keep+=SSH_AUTH_SOCK,timestamp_timeout="1"

But this doesn’t help:

$ sudo-rs chown jani:jani test
/etc/sudoers.d/90-ssh-auth-sock:1:63: double quotes are required for VAR=value pairs
Defaults!/bin/chown env_keep+=SSH_AUTH_SOCK,timestamp_timeout="1"
                                                              ^

So my next thought is to quote both values:

Defaults!/bin/chown env_keep+="SSH_AUTH_SOCK",timestamp_timeout="1"

This causes a different error:

$ sudo-rs chown jani:jani test
/etc/sudoers.d/90-ssh-auth-sock:1:65: expected nonnegative number
Defaults!/bin/chown env_keep+="SSH_AUTH_SOCK",timestamp_timeout="1"
                                                                ^

The only remaining option is to quote only the first parameter value. Surprisingly, this works:

Defaults!/bin/chown env_keep+="SSH_AUTH_SOCK",timestamp_timeout=1

$ sudo-rs chown jani:jani test
$

With OG sudo, any order or combination of these parameters, quoted or unquoted, works as expected.

Vastaa viestiin sen kontekstissa (Github)