leah blogs: April 2011

01apr2011 · sudo -f

Do you read the manpages of tools you use everyday? You should.

For example, just yesterday, I found this gem in the sudo manpage:

            for some reason, sudo is unable to update a file with its
            edited version, the user will receive a warning and the
            edited copy will remain in a temporary file.

-f          Force execution of the command, even if the user doesn't
            fulfill the sudoers policy.  This is useful for fixing
            up botched policy files (e.g. when visudo was not used).
            Note that the user still needs authenticate himself with
            a password or another authentication mechanism.

-g group    Normally, sudo runs a command with the primary group set to
            the one specified by the password database for the user the
            command is being run as (by default, root).  The -g (group)

sudo -f!? What the fuck?

I quickly checked the sources, and it turns out that this feature needs to be enabled during compliation with the --enable-force flag.

I also noticed a small glitch in the implementation: it is not possible to use sudo -f -i or sudo -f -s, but you can workaround that by using sudo -f su - and sudo -f su.

As far as I can tell, Arch and Debian don’t have this feature enabled, and neither does Gentoo, which not even provides a use-flag for it. It is, however, turned on by default on Ubuntu (after all, they make heavy use of sudo), RHEL, Fedora Core (since version 12), and openSUSE (and thus, probably, also in Canterbury).

NP: The Brian Jonestown Massacre—Their Satanic Majesties’ Second Request

Copyright © 2004–2022