[ This was written at a past job, when they asked me to set up sudo on a particular machine. The original was written as a report to my management on the effort. I have replaced a few details with XXX when they would reveal internal details, such as which employer this was at. The basic points remain. This happened some years ago - I would guess 2010 plus or minus maybe five years, but there is an internal timestamp of "Tue Nov 1 16:27:35 2011", so, sometime between 2011-11-01 and maybe 2015. Those who have historical information enough might be able to date it more accurately based on the embedded IP address of sudo.ws's MX host at the time. Mouse ] First problem: I went looking to see where sudo came from. Even with my half-assed Web skillz, I quickly found four different webpages each of which seemed to think it was the real sudo webpage; given what sudo is, I was inclined to trust none of them. After some asking around on an external IRC channel, I settled on sudo.ws as probably correct. Second problem: The thing is friggin' enormous. It's got dynamic loading and plugins and a whole raft of crap that has no business anywhere near a central part of a security system. It's drunk the configure-script koolaid, which is a disaster I've ranted about elsewhere. But this was for work, which historically doesn't care about that sort of security issue, so I ignored all that. Third problem: I got it built and installed. I set up a rudimentary sudoers file which you can still find in XXX's /etc/sudoers as of this writing; the only non-comment lines are root ALL=(ALL) ALL Defaults:root env_editor %infs ALL=(ALL) ALL visudo is happy with this. But when I run sudo itself, even as root, I get sudo: >>> /etc/sudoers: syntax error near line 1 <<< Segmentation fault I did some debugging and got nowhere. /etc/sudoers is parsed with a lex-and-yacc parser; I added debugging at the stdio level and found it reads the whole file, then at the tokeenizer level and found it errors after getting only one token (which is COMMENT). At this point I decided to ask the list for help. So I sent mail to sudo-workers-request@sudo.ws to subscribe. Fourth problem: The mail got stuck in sparkle's mailq saying "Connection reset by sudo.ws.". A manual run of the mailq reveals that it seems to be under the impression I'm a spam sender: sudo-workers-request@sudo.ws... Connecting to sudo.ws. via esmtp... 220 core.courtesan.com ESMTP spamd IP-based SPAM blocker; Tue Nov 1 16:27:35 2011 >>> EHLO Sparkle.Rodents-Montreal.ORG 250 Hello, spam sender. Pleased to be wasting your time. >>> MAIL From: 250 You are about to try to deliver spam. Your time will be spent, for nothing. >>> RCPT To: 250 This is hurting you more than it is hurting me. >>> DATA 451 Temporary failure, please try again later. >>> QUIT sudo-workers-request@sudo.ws... Deferred: Connection reset by sudo.ws. Closing connection to sudo.ws. Now, I am - or at least was - listed by SORBS, because I refuse to consider their abuse attempts anything but, well, abuse attempts. And there are still a few places left that block based on SORBS. So I tried from XXX: [XXX] 1> telnet 64.85.164.38 smtp Trying 64.85.164.38... Connected to courtesan.com. Escape character is '^]'. 220 core.courtesan.com ESMTP spamd IP-based SPAM blocker; Tue Nov 1 16:33:00 2011 helo XXX 250 Hello, spam sender. Pleased to be wasting your time. I didn't bother going any further, since it seems to be of the opinion that XXX is a spam source too (which, to be fair, it is, in a sense; spam forwarded through XXX is probably the biggest single source of spam in my mailbox at this point). At this point, I am inclined to throw sudo out completely. It has failed catastrophically at design, at implementation, and at support. I'm not sure what the right direction to go from here is. It would be trivial to build a set-ID wrapper to handle the presenting complaint, here, to let XXX run XXX on XXX. I probably could even build something that would handle a substantial fraction of /etc/sudoers's syntax, at least the parts we care about, in no more than a few days, but I don't know if XXX wants to put my time into that. Mouse