Sudoer file not working on Synology due to dots in its name

I spent one hour to investigate why I couldn't execute a command with sudo, from a php script, although the user was authorized for that command within a sudoer file... The problem was a dot in the name of the sudoer file.

Click to Read More

My php script is part of a package I have created to run on my Synology (DSM 7.x).. It is running under an account named like my package: MODS_Package7.x

That php script executes the following code:

$COMMAND = "sudo /usr/syno/bin/synopkg start '$PACKAGE' 2>&1";
exec($COMMAND, $output, $result);

My sudoer file was named /etc/sudoers.d/MODS_Package7.x and contained:

MODS_Package7.x ALL=(ALL) NOPASSWD: /usr/syno/bin/synopkg

It didn't work until I removed the ".", renaming the sudoer file into /etc/sudoers.d/MODS_Package7_x

 

How stupid,  but it's indeed mentioned in the documentation:

sudo will read each file in /etc/sudoers.d, skipping file names that end in ‘~' or contain a ‘.' character to avoid causing problems with package manager or editor temporary/backup files.

The /etc/sudoers.d/README file does not exist on Synology, but can be found on other Linux


#
# As of Debian version 1.7.2p1-1, the default /etc/sudoers file created on
# installation of the package now includes the directive:
# 
#   #includedir /etc/sudoers.d
# 
# This will cause sudo to read and parse any files in the /etc/sudoers.d 
# directory that do not end in '~' or contain a '.' character.
# 
# Note that there must be at least one file in the sudoers.d directory (this
# one will do), and all files in this directory should be mode 0440.
# 
# Note also, that because sudoers contents can vary widely, no attempt is 
# made to add this directive to existing sudoers files on upgrade.  Feel free
# to add the above directive to the end of your /etc/sudoers file to enable 
# this functionality for existing installations if you wish!
#
# Finally, please note that using the visudo command is the recommended way
# to update sudoers content, since it protects against many failure modes.
# See the man page for visudo for more information.
#

 

Leave a Reply

Your email address will not be published. Required fields are marked *