Your message dated Thu, 25 Feb 2021 10:37:39 +0000 (UTC)
with message-id <[email protected]>
and subject line Re: Bug#639323: sudoers unfortunate changes
has caused the Debian Bug report #639323,
regarding sudoers unfortunate changes
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
639323: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=639323
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: sudo
Version: 1.8.2-1
Severity: normal

Apparently, there's a new directive in the default sudoers now:
| Defaults      
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

Without it, "sudo visudo" will fail. When asking Y to let dpkg
overwrite the existing conffile on the system, people might lose
root access to the entire machine. (No, I said N and manually
run "sudo /usr/sbin/visudo" then merging it.)

Like when env_reset became default (one of the first things I
remove), this changes the default behaviour in an unsafe way,
and as such should not (IMHO) be forced on the user on upgrade,
i.e. upgrading existing systems should keep the older behaviour
(while warning about it, probably).


Also, visudo now asks
| press return to edit /etc/sudoers.d/README:
which, while cosmetic, will lead to much frustration and some
confusion under the sysadmins.


-- System Information:
Debian Release: wheezy/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-6-686 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/mksh

Versions of packages sudo depends on:
pn  libc6                         <none>     (no description available)
ii  libpam-modules                1.1.3-1    Pluggable Authentication Modules f
ii  libpam0g                      1.1.3-1    Pluggable Authentication Modules l

sudo recommends no packages.

sudo suggests no packages.

-- Configuration Files:
/etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers'
/etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README'

-- no debconf information



--- End Message ---
--- Begin Message ---
Hi Marc,

welcome to the sudo maintainer hat ;-)

>On Fri, Aug 26, 2011 at 09:08:48AM +0000, Thorsten Glaser wrote:
>> Bdale Garbee dixit:
>> >Nothing is "forced on the user", the conffile handling is doing exactly
>> >what is expected.  If the admin chooses to not accept the update, the

This could have been solved by adding the line to sudoers, waiting
a release, and then removing it from the binary. Or, as Bill pointed
out, done via /etc/sudoers.d/ instead.

But this is ten years old now, thus probably irrelevant; better
handling of configuration files as important as this one should
still be in the back of the head of maintainers, but… ;-)

>> >worst that happens is they have to fully qualify command paths until
>> >they've patched up sudoers.

Ah right, so there’s a workaround.

[ conffile handling ]
>Yes, but implementing a method like this is way beyond the amount of
>work that a normal package is expected to invest. I'd hate to open this

Indeed. There’s a five-digit bug against dpkg (IIRC) still open that
requests to save the original versions of conffiles to the side, so
that a later version can do the three-way diff; right now we don’t
even have the base version of the conffile to diff against. I don’t
know why this isn’t even done. We’d need this at least one release,
ideally more, ahead of time before three-way merging becomes useful.
But this isn’t something to do here.

>Debian system. I'd also like to refrain from adding a ucf dependency
>here.

Yes, understandable.

>> >> Also, visudo now asks
>> >> | press return to edit /etc/sudoers.d/README:

>This doesn't happen on current unstable with vi as the EDITOR.

visudo on current sid doesn’t even offer to edit the files under
/etc/sudoers.d/ any more at all, so yes, this is probably fixed.

>> This is because /etc/sudoers contains
>> | #includedir /etc/sudoers.d
>> and /etc/sudoers.d/README is a file in that directory…
>
>Did visudo at one time actually invoke the Editor with /etc/sudoers AND
>/etc/sudoers.d/* ?  It doesn't seem to do this any more.

It doesn’t seem to do this with either @includedir or #includedir any more.

>Can we please close this bug report? I don't think that keeping it open

Yup.

Thanks for pinging,
//mirabilos
-- 
(gnutls can also be used, but if you are compiling lynx for your own use,
there is no reason to consider using that package)
        -- Thomas E. Dickey on the Lynx mailing list, about OpenSSL

--- End Message ---

Reply via email to