Hello Timo and Marc,
This has become much more relevant now. Marc removed libnss-sudo [1], whose
postinst previously created the `sudoers: files` entry:
-------------- 8< ---------------
if ! grep -q -E '^sudoers:' "${DPKG_ROOT}/etc/nsswitch.conf" ; then
echo "sudoers: " >> "${DPKG_ROOT}/etc/nsswitch.conf"
fi
[...]
if ! grep -q -E -e '^sudoers:[^#]*\s(files)(\s|#|$)'
"${DPKG_ROOT}/etc/nsswitch.conf" ; then
# Installing sudoers/files from libnss-sudo in position first
sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e '/^sudoers:\s/
s/(:\s+)/\1files /'
fi
-------------- 8< ---------------
But this is gone now. Consequently, libsss-sudo's postinst does not add 'sss'
any more, as there is no 'sudoers:' line, and the `sed` just changes an
existing one:
-------------- 8< ---------------
if ! grep -q -E -e '^sudoers:[^#]*\s(sss)(\s|#|$)'
"${DPKG_ROOT}/etc/nsswitch.conf" ; then
# Installing sudoers/sss from libsss-sudo in position last
sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e
'/^sudoers:\s[^#]*$/ s/$/ sss/' -e '/^sudoers:\s.*#/ s/#/ sss #/'
fi
-------------- 8< ---------------
That leaves sssd configuration of sudo rules broken by default now. Could
libsss-sudo adopt the "create entry" code from the late libnss-sudo?
Thanks,
Martin
P.S. Spotted in https://github.com/cockpit-project/bots/pull/8694
[1]
https://salsa.debian.org/sudo-team/sudo/-/commit/d8cb400946213f53c91e9f3bc10f3b6ba7caab29
