Bug 941 – Error message for forbidden tokens unclear

Bug 941 - Error message for forbidden tokens unclear


Summary:	Error message for forbidden tokens unclear

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Visudo
Version:	1.9.3
Hardware:	PC Linux

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2020-09-24 10:21 MDT by gesh
Modified:	2021-09-11 15:55 MDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description gesh 2020-09-24 10:21:39 MDT

2f0aca92c360 introduced the CWD and CHROOT directives, making these keywords forbidden in other contexts. Naturally, this breaks configs using these names, with trivial migrations.
However, figuring out that this is the cause of the errors is less than trivial with the error messages given:

/etc/sudoers:40: syntax error, unexpected CHROOT, expecting ALIAS
Cmnd_Alias	CHROOT = /usr/bin/mkarchroot, /usr/bin/arch-nspawn, /usr/bin/makechrootpkg, /usr/bin/extra-x86_64-build
           ^~~~~~
/etc/sudoers:119: syntax error, unexpected '\n', expecting '='
INSTALLERS ALL=INSTALL, UNINSTALL, CHROOT
                                         ^

Moreover, this stolen syntax could have been more prominently signalled in the changelog. At the very least, a message along the lines of "Changes x, y and z changed the syntax of sudoers, when updating please check that your sudoers is up to date with the syntax" would have been helpful. Not masking such a change behind a minor release would also have been helpful. A quick search failed to yield any official versioning policy, something along the lines of SemVer (https://semver.org) might be helpful.

Comment 1 Todd C. Miller 2020-09-24 13:37:30 MDT

It's unfortunate that adding those created new reserved words in sudoers; I agree they need to be documented.  With the existing sudoers grammar, I don't see a way to resolve the ambiguity in the parser between an alias name and an option name.

The syntax error messages are actually a lot better in 1.9.3 than before.  Previously, sudo would simply have said "parse error near line 40".  It may be possible to improve them further.

Comment 2 Todd C. Miller 2020-09-25 13:54:23 MDT

I just committed changes to the sudoers parser so that there is a better error message when declaring an alias with the same name as a reserved word.

Now instead of:
    syntax error, unexpected CHROOT, expecting ALIAS

You get:
    syntax error, reserved word used as an alias name

with the offending token underlined in the message.  I've also updated the man page to explicitly list the reserved words and added a warning to the upgrade notes.

Comment 3 Todd C. Miller 2020-11-30 13:24:53 MST

Fixed in sudo 1.9.4