Control: tags -1 + patch Hi again,
On 2015-01-30 10:27, Christian Kastner wrote: > On 2015-01-30 00:19, Andreas Beckmann wrote: >> Which is erroneously moved aside by sudo-ldap.preinst, thereafter dpkg >> unpacks sudo-ldap, takes over file ownership (incl. conffiles) from sudo >> and once it gets around to installing ist conffile it notices that this >> has not changed from the known md5sum, so no attempt is made to >> "upgrade" the missing conffile. > > OK, you're right. It's not a matter of moving /etc/sudoers.pre-conffile > back; the issue is that (at least on wheezy and above) it should not > have been moved aside in the first place. > > The error appears to be (as you say) in sudo.preinst and > sudo-ldap.preinst, specifically that the --compare-versions check does > not account for the case when old-version is empty, which will always be > the case when switching between sudo and sudo-ldap. I've looked into this now, and I believe that the --compare-versions issue and the chown/chmod issue is all there is to this bug. I have attached a new debdiff (v2) with fixes for both. I have tested this patch in a number of combinations, including (but not limited to): sudo (squeeze) -> sudo (jessie) upgrade sudo-ldap (squeeze) -> sudo-ldap (jessie) upgrade Works as intended. An unchanged /etc/sudoers gets replaced with the new version, a changed sudoers will cause the user to be asked what to do. sudo (jessie) -> sudo (jessie+deb8u2) upgrade sudo-ldap (jessie) -> sudo-ldap (jessie+deb8u2) upgrade Same result as in the previous case. sudo (jessie+deb8u2) -> sudo-ldap (jessie+deb8u2) switch sudo-ldap (jessie+deb8u2) -> sudo (jessie+deb8u2) switch /etc/sudoers always gets carried over. There is no scenario where the user might have to be asked, as the package versions (and the sudoers they supply) are identical, and the user's changed version therefore trumps the default version. Andreas, what do you think? Regards, Christian
diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog --- sudo-1.8.10p3/debian/changelog 2015-01-19 06:56:53.000000000 +0100 +++ sudo-1.8.10p3/debian/changelog 2015-02-07 00:25:55.000000000 +0100 @@ -1,3 +1,15 @@ +sudo (1.8.10p3-1+deb8u2) testing-proposed-updates; urgency=medium + + * Non-maintainer upload. + * In the preinst scripts, in the code concerning the pre-conffile-era + /etc/sudoers handling, make sure that dpkg --compare-versions actually has + two versions to compare. This is not the case when switching between sudo + and sudo-ldap (of the same version), so that code was accidentally being + triggered. Closes: #776137 + * Make sure that /etc/sudoers exists before attempting to chown/chmod it + + -- Christian Kastner <deb...@kvr.at> Sat, 07 Feb 2015 00:18:21 +0100 + sudo (1.8.10p3-1+deb8u1) testing-proposed-updates; urgency=medium * Non-maintainer upload. diff -Nru sudo-1.8.10p3/debian/sudo-ldap.postinst sudo-1.8.10p3/debian/sudo-ldap.postinst --- sudo-1.8.10p3/debian/sudo-ldap.postinst 2014-09-14 18:26:06.000000000 +0200 +++ sudo-1.8.10p3/debian/sudo-ldap.postinst 2015-02-07 00:27:42.000000000 +0100 @@ -28,8 +28,10 @@ fi # make sure sudoers has the correct permissions and owner/group -chown root:root /etc/sudoers -chmod 440 /etc/sudoers +if [ -f /etc/sudoers ];then + chown root:root /etc/sudoers + chmod 440 /etc/sudoers +fi # create symlink to ease transition to new path for ldap config # if old config file exists and new one doesn't diff -Nru sudo-1.8.10p3/debian/sudo-ldap.preinst sudo-1.8.10p3/debian/sudo-ldap.preinst --- sudo-1.8.10p3/debian/sudo-ldap.preinst 2014-09-14 18:26:06.000000000 +0200 +++ sudo-1.8.10p3/debian/sudo-ldap.preinst 2015-02-07 00:26:45.000000000 +0100 @@ -2,7 +2,7 @@ case "$1" in install|upgrade) - if dpkg --compare-versions "$2" le "1.7.4p4-4"; then + if [ -n "$2" ] && dpkg --compare-versions "$2" le "1.7.4p4-4"; then SUDOERS="/etc/sudoers" diff -Nru sudo-1.8.10p3/debian/sudo.postinst sudo-1.8.10p3/debian/sudo.postinst --- sudo-1.8.10p3/debian/sudo.postinst 2014-09-14 18:26:06.000000000 +0200 +++ sudo-1.8.10p3/debian/sudo.postinst 2015-02-07 00:27:18.000000000 +0100 @@ -22,8 +22,10 @@ fi # make sure sudoers has the correct permissions and owner/group -chown root:root /etc/sudoers -chmod 440 /etc/sudoers +if [ -f /etc/sudoers ];then + chown root:root /etc/sudoers + chmod 440 /etc/sudoers +fi # if we've gotten this far .. remove the saved, unchanged old sudoers file rm -f /etc/sudoers.pre-conffile diff -Nru sudo-1.8.10p3/debian/sudo.preinst sudo-1.8.10p3/debian/sudo.preinst --- sudo-1.8.10p3/debian/sudo.preinst 2014-09-14 18:26:06.000000000 +0200 +++ sudo-1.8.10p3/debian/sudo.preinst 2015-02-07 00:26:57.000000000 +0100 @@ -2,7 +2,7 @@ case "$1" in install|upgrade) - if dpkg --compare-versions "$2" le "1.7.4p4-4"; then + if [ -n "$2" ] && dpkg --compare-versions "$2" le "1.7.4p4-4"; then SUDOERS="/etc/sudoers"