Are the files in /etc/sudoers.d read in a particular order?

From man sudoers, the exact position found with this command:

$ LESS='+/sudo will suspend processing' man sudoers

Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second. Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second. A consistent number of leading zeroes in the file names can avoid such problems.

That's under the title: Including other files from within sudoers

$ LESS='+/Including other files from within sudoers' man sudoers

Lexical order is also called "dictionary order" as given by the values defined by the environment variable LC_COLLATE when the locale is C (numbers then Uppercae then lowercase letters). That's the same order as given by LC_COLLATE=C ls /etc/sudoers.d/.

The list of files included and the specific order in which they are loaded could be exposed with:

$ visudo -c
/etc/sudoers: parsed OK
/etc/sudoers.d/README: parsed OK
/etc/sudoers.d/me: parsed OK
/etc/dirtest/10-defaults: parsed OK
/etc/dirtest/1one: parsed OK
/etc/dirtest/2one: parsed OK
/etc/dirtest/30-alias: parsed OK
/etc/dirtest/50-users: parsed OK
/etc/dirtest/Aone: parsed OK
/etc/dirtest/Bone: parsed OK
/etc/dirtest/aone: parsed OK
/etc/dirtest/bone: parsed OK
/etc/dirtest/zone: parsed OK
/etc/dirtest/~one: parsed OK
/etc/dirtest/éone: parsed OK
/etc/dirtest/ÿone: parsed OK

Note that the order is not UNICODE but C.


From the sudoers manual (regarding the #includedir directive):

#includedir /etc/sudoers.d

sudo will read each file in /etc/sudoers.d, skipping file names that end in ~ or contain a . character to avoid causing problems with package manager or editor temporary/backup files. Files are parsed in sorted lexical order. That is, /etc/sudoers.d/01_first will be parsed before /etc/sudoers.d/10_second. Be aware that because the sorting is lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded after /etc/sudoers.d/10_second. Using a consistent number of leading zeroes in the file names can be used to avoid such problems.

See man 5 sudoers.

The lexical ordering mentioned above is the same ordering that you get from ls (or echo *) in the C or POSIX locale.

Tags:

Configuration

Sudo

Recent Posts