** Description changed: + [ Impact ] + + * Installing libsss-sudo in Resolute breaks sudo authentication for local + users (i.e. in the "admin" or sudo "group") since it only adds "sss" (and + does not add "files") to the sudoers database in "/etc/nsswitch.conf". + + * This upload fixes this issue by reintroducing a runtime dependency on + libnss-sudo, which adds "files" to "/etc/nsswitch.conf". + + [ Test Plan ] + + * Run the following test script as root. + + grep ^sudoers: /etc/nsswitch.conf || echo 'no sudoers in + /etc/nsswitch.conf' + + if ! id testuser >/dev/null; then + useradd -m -G sudo -s /bin/bash testuser + echo testuser:ubuntu | chpasswd + fi + + su - testuser -c 'echo ubuntu | sudo -S whoami 2>&1' >/dev/null \ + && echo 'pass' \ + || echo 'fail' + + * The output should be + + sudoers: files sss + pass + + * Test both fresh installations (installing libsss-sudo fresh from -proposed) + and also upgrades from a broken version. + + [ Where problems could occur ] + + * This upload reintroduces a libnss-sudo runtime dependency. Problems could + occur there, but the package itself ships only maintscripts generated by + dh_installnss. + + [ Other Info ] + + * This bug is still not fixed in Stonking. The solution there will be + different, since the libnss-sudo package no longer ships the necessary + maintscripts to add "files" in /etc/nsswitch. + + * There is an WIP merge proposal for Stonking [1], but this can only be + uploaded after sudo is merged from Debian. + + [ Original Bug Report ] + Unfortunately 26.04 inherited this bug from Debian: https://bugs.debian.org/1129522 Demonstration: - podman run -it --rm docker.io/ubuntu:26.04 sh -exc 'cat + podman run -it --rm docker.io/ubuntu:26.04 sh -exc 'cat /etc/nsswitch.conf; apt update; apt install -y libsss-sudo; cat /etc/nsswitch.conf' Initially, nsswitch.conf has no "sudoers:" entry, and after that it has - sudoers: sss + sudoers: sss This is missing "files", thus any attempt to run "sudo" by users in the "sudo" or "admin" groups fails. The cause of this is that the postinst script adds "sss" to the end of "sudoers:" and assumes that "files" is already there. This was proposed in base-files but not yet in the distribution: https://bugs.debian.org/770825 - PackageVersion: libsss-sudo_2.12.0-1ubuntu5_amd64.deb DistroRelease: Ubuntu 26.04
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2151950 Title: libsss-sudo: Can't sudo after installing libsss-sudo (due to broken nsswitch update) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2151950/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
