On Fri, Aug 13, 2021 at 03:07:46PM -0600, Ross Vandegrift wrote: > [ Checklist ] > [X] *all* changes are documented in the d/changelog > [X] I reviewed all changes and I approve them > [X] attach debdiff against the package in (old)stable
Apologies - reportbug -r seems to have missed the attachment. Here it is. Ross
diff -Nru cloud-init-20.4.1/debian/changelog cloud-init-20.4.1/debian/changelog --- cloud-init-20.4.1/debian/changelog 2021-03-19 10:18:59.000000000 -0600 +++ cloud-init-20.4.1/debian/changelog 2021-08-12 18:47:26.000000000 -0600 @@ -1,3 +1,11 @@ +cloud-init (20.4.1-2+deb11u1) bullseye; urgency=high + + * Team upload. + * cherry-pick upstream fix for duplicate includes in /etc/sudoers + (Closes: #991629) + + -- Ross Vandegrift <rvandegr...@debian.org> Thu, 12 Aug 2021 18:47:26 -0600 + cloud-init (20.4.1-2) unstable; urgency=high * Avoid logging generated passwords to world-readable log files. diff -Nru cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch --- cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch 1969-12-31 17:00:00.000000000 -0700 +++ cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch 2021-08-12 18:47:26.000000000 -0600 @@ -0,0 +1,64 @@ +From: Jordi Massaguer Pla <jmassaguer...@suse.de> +Date: Fri, 29 Jan 2021 15:43:56 +0100 +Subject: includedir in suoders can be prefixed by "arroba" (#783) + +Since version 1.9.1, @includedir can be used in the sudoers files +instead of #includedir: + +https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_1 + +Actually "@includedir" is the modern syntax, and "#includedir" the historic +syntax. It has been considered that "#includedir" was too puzzling because +it started with a "#" that otherwise denotes comments. + +This happens to be the default in SUSE Linux enterprise sudoer package, +so cloudinit should take this into account. + +Otherwise, cloudinit was adding an extra #includedir, which was +resulting on the files under /etc/sudoers.d being included twice, one by +@includedir from the SUSE package, one by the @includedir from +cloudinit. The consequence of this, was that if you were defining an +Cmnd_Alias inside any of those files, this was being defined twice and +creating an error when using sudo. +--- + cloudinit/distros/__init__.py | 2 +- + tests/unittests/test_distros/test_generic.py | 13 +++++++++++++ + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py +index 1e11847..220bd11 100755 +--- a/cloudinit/distros/__init__.py ++++ b/cloudinit/distros/__init__.py +@@ -673,7 +673,7 @@ class Distro(persistence.CloudInitPickleMixin, metaclass=abc.ABCMeta): + found_include = False + for line in sudoers_contents.splitlines(): + line = line.strip() +- include_match = re.search(r"^#includedir\s+(.*)$", line) ++ include_match = re.search(r"^[#|@]includedir\s+(.*)$", line) + if not include_match: + continue + included_dir = include_match.group(1).strip() +diff --git a/tests/unittests/test_distros/test_generic.py b/tests/unittests/test_distros/test_generic.py +index 4460748..336150b 100644 +--- a/tests/unittests/test_distros/test_generic.py ++++ b/tests/unittests/test_distros/test_generic.py +@@ -119,6 +119,19 @@ class TestGenericDistro(helpers.FilesystemMockingTestCase): + self.assertIn("josh", contents) + self.assertEqual(2, contents.count("josh")) + ++ def test_sudoers_ensure_only_one_includedir(self): ++ cls = distros.fetch("ubuntu") ++ d = cls("ubuntu", {}, None) ++ self.patchOS(self.tmp) ++ self.patchUtils(self.tmp) ++ for char in ['#', '@']: ++ util.write_file("/etc/sudoers", "{}includedir /b".format(char)) ++ d.ensure_sudo_dir("/b") ++ contents = util.load_file("/etc/sudoers") ++ self.assertIn("includedir /b", contents) ++ self.assertTrue(os.path.isdir("/b")) ++ self.assertEqual(1, contents.count("includedir /b")) ++ + def test_arch_package_mirror_info_unknown(self): + """for an unknown arch, we should get back that with arch 'default'.""" + arch_mirrors = gapmi(package_mirrors, arch="unknown") diff -Nru cloud-init-20.4.1/debian/patches/series cloud-init-20.4.1/debian/patches/series --- cloud-init-20.4.1/debian/patches/series 2021-03-19 10:02:44.000000000 -0600 +++ cloud-init-20.4.1/debian/patches/series 2021-08-12 18:47:26.000000000 -0600 @@ -6,3 +6,4 @@ 0009-Drop-all-unused-extended-version-handling.patch 0012-Fix-message-when-a-local-is-missing.patch dont_log_generated_passwords.patch +0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch
