File in /etc/sudoers.d/ not recognized

Running a fresh install of Ubuntu server 16.04.1, I tried to add a file in /etc/sudoers.d/ to give one user root privileges for a certain command.

I added the file /etc/sudoers.d/servicetest with the following content:

servicetest ALL = (root) NOPASSWD: /bin/systemctl status *

The file /etc/sudoers is left untouched. It contains #includedir /etc/sudoers.d as the last line. This setup is unfortunately not working, when executing an appropriate command with sudo as the user servicetest, I am still asked for the password. However, if I move the content of the file /etc/sudoers.d/servicetest to the end of /etc/sudoers, everything is working as expected.

What could be the cause of this issue? How can I get files in /etc/sudoers.d/ working?

4 Answers

In my CentOS 7, the system would not recognize the file if it had a dot in its name. For instance:

/etc/sudoers.d/user.perms # This file doesn't work
/etc/sudoers.d/userperms # This file does

Apparently, the files that are included in the /etc/sudoers file must have 0440 permissions for security reasons. That way only root can edit the file and only the owner and members of the owner group can read it, making it less likely that the file will be used as an attempt to escalate privileges.

You can check the requirements on the included file on /etc/sudoers.d/README, but two other requirements are that the filename shouldn't start with a . (hidden files) or end with a ~ (convention for backup files).

Credits to @steeldriver for confirming the theory and finding the /etc/sudoers.d/README file!

The problem was not, as answered by IanC, caused by the file permissions (sudo happily accepts a file owned by root:root 0644, as I can confirm now, although it should of course be root:root 0440 for security reasons!), but by a newline at the end of the file which was preceded by a windows-style line ending (\r\n).

sudo only accepts \n as line endings.

I met the same issue with @Guillermo Prandi on Ubuntu 20.04.

If I create a file which has .conf extension, it does not work. But, if .conf is removed, it works well.

I doubt that 99-snapd.conf file works well.

As /etc/sudoers.d/README, it says, "that do not end in '~' or contain a '.' character."

@IanC wrote, "that the filename shouldn't start with a . (hidden files)", but I guess it may have been updated in the new version.

4 Answers

Your Answer

Sign up or log in

Post as a guest

Related Journals

How high up does a mob spawner have to be for it to NOT have reduced mob drops from any caves that may be below it

Where's Brother Vernan's hidden lair?

Plan B for spy (What spy revolver?)

Where to locate png for nether portal in assets