Bug#776137: sudo: fails to switch between sudo and sudo-ldap: chown: cannot access '/etc/sudoers': No such file or directory

Fri, 06 Feb 2015 16:06:48 -0800 

Control: tags -1 + patch

Hi again,

On 2015-01-30 10:27, Christian Kastner wrote:
> On 2015-01-30 00:19, Andreas Beckmann wrote:
>> Which is erroneously moved aside by sudo-ldap.preinst, thereafter dpkg
>> unpacks sudo-ldap, takes over file ownership (incl. conffiles) from sudo
>> and once it gets around to installing ist conffile it notices that this
>> has not changed from the known md5sum, so no attempt is made to
>> "upgrade" the missing conffile.
> 
> OK, you're right. It's not a matter of moving /etc/sudoers.pre-conffile
> back; the issue is that (at least on wheezy and above) it should not
> have been moved aside in the first place.
> 
> The error appears to be (as you say) in sudo.preinst and
> sudo-ldap.preinst, specifically that the --compare-versions check does
> not account for the case when old-version is empty, which will always be
> the case when switching between sudo and sudo-ldap.

I've looked into this now, and I believe that the --compare-versions
issue and the chown/chmod issue is all there is to this bug. I have
attached a new debdiff (v2) with fixes for both.

I have tested this patch in a number of combinations, including (but not
limited to):

  sudo      (squeeze)       ->     sudo      (jessie) upgrade
  sudo-ldap (squeeze)       ->     sudo-ldap (jessie) upgrade

Works as intended. An unchanged /etc/sudoers gets replaced with the new
version, a changed sudoers will cause the user to be asked what to do.

  sudo      (jessie)        ->     sudo      (jessie+deb8u2) upgrade
  sudo-ldap (jessie)        ->     sudo-ldap (jessie+deb8u2) upgrade

Same result as in the previous case.

  sudo      (jessie+deb8u2) ->     sudo-ldap (jessie+deb8u2) switch
  sudo-ldap (jessie+deb8u2) ->     sudo      (jessie+deb8u2) switch

/etc/sudoers always gets carried over. There is no scenario where the
user might have to be asked, as the package versions (and the sudoers
they supply) are identical, and the user's changed version therefore
trumps the default version.

Andreas, what do you think?

Regards,
Christian

diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog
--- sudo-1.8.10p3/debian/changelog      2015-01-19 06:56:53.000000000 +0100
+++ sudo-1.8.10p3/debian/changelog      2015-02-07 00:25:55.000000000 +0100
@@ -1,3 +1,15 @@
+sudo (1.8.10p3-1+deb8u2) testing-proposed-updates; urgency=medium
+
+  * Non-maintainer upload.
+  * In the preinst scripts, in the code concerning the pre-conffile-era
+    /etc/sudoers handling, make sure that dpkg --compare-versions actually has
+    two versions to compare. This is not the case when switching between sudo
+    and sudo-ldap (of the same version), so that code was accidentally being
+    triggered. Closes: #776137
+  * Make sure that /etc/sudoers exists before attempting to chown/chmod it
+
+ -- Christian Kastner <deb...@kvr.at>  Sat, 07 Feb 2015 00:18:21 +0100
+
 sudo (1.8.10p3-1+deb8u1) testing-proposed-updates; urgency=medium
 
   * Non-maintainer upload.
diff -Nru sudo-1.8.10p3/debian/sudo-ldap.postinst 
sudo-1.8.10p3/debian/sudo-ldap.postinst
--- sudo-1.8.10p3/debian/sudo-ldap.postinst     2014-09-14 18:26:06.000000000 
+0200
+++ sudo-1.8.10p3/debian/sudo-ldap.postinst     2015-02-07 00:27:42.000000000 
+0100
@@ -28,8 +28,10 @@
 fi
 
 # make sure sudoers has the correct permissions and owner/group
-chown root:root /etc/sudoers
-chmod 440 /etc/sudoers
+if [ -f /etc/sudoers ];then
+    chown root:root /etc/sudoers
+    chmod 440 /etc/sudoers
+fi
 
 # create symlink to ease transition to new path for ldap config
 # if old config file exists and new one doesn't
diff -Nru sudo-1.8.10p3/debian/sudo-ldap.preinst 
sudo-1.8.10p3/debian/sudo-ldap.preinst
--- sudo-1.8.10p3/debian/sudo-ldap.preinst      2014-09-14 18:26:06.000000000 
+0200
+++ sudo-1.8.10p3/debian/sudo-ldap.preinst      2015-02-07 00:26:45.000000000 
+0100
@@ -2,7 +2,7 @@
 
 case "$1" in
   install|upgrade)
-    if dpkg --compare-versions "$2" le "1.7.4p4-4"; then
+    if [ -n "$2" ] && dpkg --compare-versions "$2" le "1.7.4p4-4"; then
 
       SUDOERS="/etc/sudoers"
 
diff -Nru sudo-1.8.10p3/debian/sudo.postinst sudo-1.8.10p3/debian/sudo.postinst
--- sudo-1.8.10p3/debian/sudo.postinst  2014-09-14 18:26:06.000000000 +0200
+++ sudo-1.8.10p3/debian/sudo.postinst  2015-02-07 00:27:18.000000000 +0100
@@ -22,8 +22,10 @@
 fi
 
 # make sure sudoers has the correct permissions and owner/group
-chown root:root /etc/sudoers
-chmod 440 /etc/sudoers
+if [ -f /etc/sudoers ];then
+    chown root:root /etc/sudoers
+    chmod 440 /etc/sudoers
+fi
 
 # if we've gotten this far .. remove the saved, unchanged old sudoers file
 rm -f /etc/sudoers.pre-conffile
diff -Nru sudo-1.8.10p3/debian/sudo.preinst sudo-1.8.10p3/debian/sudo.preinst
--- sudo-1.8.10p3/debian/sudo.preinst   2014-09-14 18:26:06.000000000 +0200
+++ sudo-1.8.10p3/debian/sudo.preinst   2015-02-07 00:26:57.000000000 +0100
@@ -2,7 +2,7 @@
 
 case "$1" in
   install|upgrade)
-    if dpkg --compare-versions "$2" le "1.7.4p4-4"; then
+    if [ -n "$2" ] && dpkg --compare-versions "$2" le "1.7.4p4-4"; then
 
       SUDOERS="/etc/sudoers"

Reply via email to