Version 1.9.3 brought many improvements to how the sudoers file is handled. Zero-length files are not saved by sudoedit, in many cases error messages are more accurate, and sudo no longer refuses to run if there is a syntax error. Let’s take a more detailed look at these changes!

These new features were introduced in sudo version 1.9.3. There is a good chance that your operating system includes an older version of sudo. You can download ready-to-use binaries for many different operating systems directly from the sudo website or you can build sudo from source yourself.

A zero length sudoers file, while syntactically correct, does not allow the users to do anything, so it is not saved by visudo. With sudo 1.9.3, sudoedit now behaves similarly. If the edited file is empty, sudoedit will no longer save it automatically. Instead, it will ask the user before overwriting the original file.

[czanik@centos7sudo ~]$ sudoedit /etc/bla
sudoedit: truncate /etc/bla to zero bytes? (y/n) [n] 
sudoedit: not overwriting /etc/bla

In many cases, the error messages in sudo 1.9.3 are more detailed. In previous versions, error messages about rules were rather generic:

[root@localhost ~]# visudo
>>> /etc/sudoers: syntax error near line 108 <<<
What now? 

The same error now results in a more detailed error message in sudo version 1.9.3:

[root@centos7sudo ~]# visudo
/etc/sudoers:4: syntax error, unexpected '(', expecting '=' or ','
%admins ALLó(ALL) ALL
             ^
What now? 

Instead of having to rely on line numbers, I can see the problematic line right away and where in the line the error is. I make similar mistakes regularly, largely due to the Hungarian keyboard. When I forget to switch back to the US layout, I enter an accent-marked Hungarian character instead of the equal sign.

Better error messages required a change that should not affect many users, but is still important to know about: sudoers rules must now end in either a newline or the end-of-file. Previously, it was possible to have multiple rules on a single line, separated by white space. The use of an end-of-line terminator makes it possible to display accurate error messages.

Sudo no longer refuses to run if a syntax error in the sudoers file is encountered. The entry with the syntax error will be discarded and sudo will continue to parse the file. This makes recovery from a syntax error less painful on systems where sudo is the primary method of superuser access, like Ubuntu. The historic behavior can be restored by adding error_recovery=false to the sudoers plugin’s optional arguments in the sudo.conf file.

Here’s what happens if you somehow save a sudoers file with the error shown in the previous example:

[czanik@centos7sudo ~]$ sudo -s
/etc/sudoers:3: syntax error, unexpected '(', expecting '=' or ','
%admins ALLó(ALL) ALL
             ^
[sudo] password for czanik: 

Instead of needing to hack your own system, with a bit of luck there is a rule in your sudoers file which still lets you in to recover from the syntax error. Of course it does not allow you to recover from all situations, so knowing the root password is still recommended when you are experimenting with sudo settings.

If you would like to be notified about new posts and sudo news, sign up for the sudo blog announcement mailing list.