#1126353 sudo (in trixie) does not read sudoers.d files with colons in file name

#1126353#5
Date:
2026-01-24 16:23:16 UTC
From:
To:
Hi,

I would like to ask the release notes team whether we should, while a
technical solution is pending, add language regarding #1126085 to the
trixie release notes (and maybe also to the bookworm release notes) that
the sudo in those stable releases won't read /etc/sudoers.d files that
contain colons in their file name, like
/etc/sudoers.d/10_dsa::util::sudo[dfsg-team-role] but instead wrongly
report "no such file or directory".

Adam correctly points out that this behavior of sudo might either cause
system breakage or introduce security flaws because files that used to
be processed in the past are not processed any more. I concur with
his judgement that #1126085 is an RC bug.

I am willing to provide a paragraph for the release notes if you
indicate that this would be a good workaround while we wait for upstream
to comment whether there might be a better technical solution for the
issue.

Greetings
Marc

#1126353#10
Date:
2026-01-25 13:57:45 UTC
From:
To:
https://git.sudo.ws/sudo/commit/?id=ff0b6bebceec5c7d01fd296300125d51325c6ff4
so maybe no need for the release-notes to add and then delete it?

i wasnt sure that bookworm was actually affected based on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126085 ?

However, this seems to be something to do with : being interpreted as
a  list (sometimes?), which might make the release-notes on its own --
 this seems missing from sudoers(5) in trixie
(i wonder if this is going to cause other surprising changes, where
the user asks for "A:B" but sudo silently uses A and B.  this all
seems like needless complexity to me. and how can the user put a file
with : in a list?)

#1126353#15
Date:
2026-01-25 13:57:45 UTC
From:
To:
https://git.sudo.ws/sudo/commit/?id=ff0b6bebceec5c7d01fd296300125d51325c6ff4
so maybe no need for the release-notes to add and then delete it?

i wasnt sure that bookworm was actually affected based on
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1126085 ?

However, this seems to be something to do with : being interpreted as
a  list (sometimes?), which might make the release-notes on its own --
 this seems missing from sudoers(5) in trixie
(i wonder if this is going to cause other surprising changes, where
the user asks for "A:B" but sudo silently uses A and B.  this all
seems like needless complexity to me. and how can the user put a file
with : in a list?)

#1126353#20
Date:
2026-01-25 15:47:40 UTC
From:
To:
Yes, right. The patch applies cleanly to what we have in Trixie, so I
can go with a stable point release update. Unupdated trixie will still
be affected, so it might make sense to have the release note anyway.

At the moment I cannot comment on this.

Greetings
Marc