From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms11 with LMTPS id kHToDaOtJl+5DQAA0tVLHw (envelope-from ) for ; Sun, 02 Aug 2020 12:12:19 +0000 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id uBfCCaOtJl+udAAAB5/wlQ (envelope-from ) for ; Sun, 02 Aug 2020 12:12:19 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id AC588940214 for ; Sun, 2 Aug 2020 12:12:18 +0000 (UTC) Received: from localhost ([::1]:50672 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1k2Cqf-0007Ak-Ec for larch@yhetil.org; Sun, 02 Aug 2020 08:12:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:34448) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1k2CqT-0007Ac-Iu for guix-devel@gnu.org; Sun, 02 Aug 2020 08:12:05 -0400 Received: from aibo.runbox.com ([91.220.196.211]:38366) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1k2CqP-00074L-Mr for guix-devel@gnu.org; Sun, 02 Aug 2020 08:12:05 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=runbox.com; s=selector2; h=Content-Transfer-Encoding:Content-Type:MIME-Version: Message-ID:Subject:To:From:Date; bh=afU49iiE7BIlsvB/0QVHPpKuRLCCn2qVC1Etom4RSc8=; b=hO+LO2IaI5BQGlvOlVoAGrOiUl YAbM6Vd4gIZCTO6fl/y+6emCcpWSXyfva72s+DY0lzkfYSXxkqy8/Rmr7hpIO0JlIjOz+YSDd9zxL XxA1gQ1tF6lZbomhbx8J8DKn2xJNfCpEaegsDqenTDeFrfRSQRwJrZjSO0HCrVBfnGHFSoPyCNFOP itdgbKhoib0vEoBMfKi4F9TIZuCJcjHPP0bpHaSzYOVxJ11itxbQV9E/badrU5/LwHM+ijr4f5CLh hkY+pIc6DN297XbVXtHMLSun2NCjt78+FetkWM/r7TgOBD119GRvRsN0kSriN7jXxwTiiClTfc8KS TQGnB0jw==; Received: from [10.9.9.73] (helo=submission02.runbox) by mailtransmit03.runbox with esmtp (Exim 4.86_2) (envelope-from ) id 1k2CqK-0005zK-4f for guix-devel@gnu.org; Sun, 02 Aug 2020 14:11:56 +0200 Received: by submission02.runbox with esmtpsa [Authenticated alias (780724)] (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) id 1k2Cq4-0001Py-O6 for guix-devel@gnu.org; Sun, 02 Aug 2020 14:11:40 +0200 Date: Sun, 2 Aug 2020 13:11:15 +0100 From: pkill9 To: "guix-devel@gnu.org" Subject: Verify validity of sudoers file when reconfiguring system. Message-ID: <20200802131115.720bdf36@runbox.com> X-Mailer: Claws Mail 3.17.4 (GTK+ 2.24.32; x86_64-unknown-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Received-SPF: pass client-ip=91.220.196.211; envelope-from=pkill9@runbox.com; helo=aibo.runbox.com X-detected-operating-system: by eggs.gnu.org: First seen = 2020/08/02 08:11:56 X-ACL-Warn: Detected OS = ??? X-Spam_score_int: -25 X-Spam_score: -2.6 X-Spam_bar: -- X-Spam_report: (-2.6 / 5.0 requ) BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001 autolearn=ham autolearn_force=no X-Spam_action: no action X-BeenThere: guix-devel@gnu.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Development of GNU Guix and the GNU System distribution." List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-devel-bounces+larch=yhetil.org@gnu.org Sender: "Guix-devel" X-Scanner: scn0 Authentication-Results: aspmx1.migadu.com; dkim=pass header.d=runbox.com header.s=selector2 header.b=hO+LO2Ia; dmarc=pass (policy=none) header.from=runbox.com; spf=pass (aspmx1.migadu.com: domain of guix-devel-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=guix-devel-bounces@gnu.org X-Spam-Score: -1.71 X-TUID: 1BqlGSnJKYF2 Last time I tested, the sudoers file could be changed to anything in the guix system configuration, whether it's valid or not. This could result in someone being locked out of their system when root doesn't have a password, and they rely on sudo. Ideally, `guix system reconfigure` would fail if the specified sudoers file is invalid. I ran `visudo --help` and there are two flags that could be used for this: --check, which simply parses the sudoers file and checks that it's valid, and --file, which specifies which file to check.