Editing sudoers in OS X (10.7)

Question

I've got a script (written by my predecessor) which successfully edits the sudoers file on a Mac running OS X 10.6; it goes like this:

#!/bin/sh

if [ -z "$1" ]; then
    export EDITOR=$0 && sudo -E visudo
else
    echo "%staff ALL=NOPASSWD: /sbin/shutdown" >> $1
fi

However, when run on a Mac running 10.7, instead of adding the line to the sudoers file, it launches visudo "interactively". It does not seem to enter the "else" clause at any point. I suspect that the appropriate syntax of line 4 ("export...") has changed, but I can't seem to find out how. Any pointers?

Since someone will ask: We have an elaborate (and admittedly, somewhat silly, but necessarily so) forced-reboot schedule for patching. If a user has not rebooted willfully by the deadline, an application will launch with a 5 minute countdown (or the option to reboot immediately) at which point the 'sudo shutdown -r now' command is issued. For my sanity's sake, please don't ask me to defend the nature of this arrangement. It is outside of my control.

Answer 1

visudo(8) has this to say:

There is a hard-coded list of one or more editors that visudo will use set at compile-time that may be overridden via the editor sudoers Default variable. This list defaults to "/bin/vi". Normally, visudo does not honor the VISUAL or EDITOR environment variables unless they contain an editor in the aforementioned editors list. However, if visudo is configured with the --with-env-editor option or the env_editor Default variable is set in sudoers, visudo will use any the editor defines by VISUAL or EDITOR. Note that this can be a security hole since it allows the user to execute any program they wish simply by setting VISUAL or EDITOR.

I suspect that's what you're running into here.

Answer 2

if [ -z "$1" ]; is a common idiom checking if no arguments were given to a script. When called without arguments, your script will take the first path, launching the editor (which, in this case should be this script itself). Given a file name as an argument, the else-branch is taken and a line is appended to the file non-interactively (in visudo context).

Assuming that the script is called externally without arguments, sudo started clearing the EDITOR environment variable, or (as @twalberg noted) visudo now ignores EDITOR.

To fix, adjust the sudoers file to keep EDITOR, and either allow any program as editor by setting env_editor, or add the script (and any other scripts editing the sudoers file) to the editor variable.

Defaults    env_keep += "EDITOR"
# UNSAFE
#Defaults   env_editor
# better
Defaults    editor = "/usr/bin/vi:/path/to/script" # ... possibly more

If you do not want to do that (or can't do that non-interactively) and it is safe to assume that simultaneous edits will not happen, you can do something like the following:

cp -p /etc/sudoers /etc/sudoers.tmp
echo "%staff ALL=NOPASSWD: /sbin/shutdown" >> /etc/sudoers.tmp
if visudo -cqf /etc/sudoers.tmp; then
    mv /etc/sudoers.tmp /etc/sudoers
else
    rm /etc/sudoers.tmp
    echo "update failed"
fi