Bdale Garbee wrote: > Bob Proulx wrote: > > Alternatively the sudo package could include a new conffile file in > > the package /etc/sudoers.d/00-secure_path or some such that includes > > the new secure_path setting. Being a new file it would be installed > > by default without dialog and become available. > > The problem with this idea is that the include directive was only > recently added to the default Debian sudoers file, and so many systems > with customized sudoers files might remain broken.
Sorry but I don't understand. How would setting secure_path in a new sudoers.d file create a situation where a system would remain broken? Could you list an example of what you are talking about in order to make it concrete? It isn't really a solution I prefer. But any method to keep secure_path set by default but allow a local admin to unset it would be fine. I just couldn't think of any better way than a new file. There doesn't seem to be a way to !secure_path with it defaulted unless I missed something. That was Bug#85123 of course. But note that the NEWS entry is my first choice. Personally I am okay with it as long as I know about it. Of course I would prefer not to have to take action to keep the status quo but sometimes it is necessary and I will go with the flow if this is one of them. But I just know that users will be bitten by this and I just helped on such user on debian-user who ran headlong into this problem so there will be others. > The solution I'd like best but haven't made time to try and work out yet > is for the binary to have a default secure_path, but still allow > secure_path to be overridden in the sudoers file. I'm about to head out > the door for a week in which I'm unlikely to have time to work on this, > so if you or anyone else want to figure out if some combination of > existing configure arguments or a simple patch might allow this to be > implemented, that'd be great! I already gave it my brain cells and was unable to propose any better solution. But I will think about it and respond if I can produce any better suggestion. > Oh, and thanks for the proposed NEWS entry text, I agree that given the > reaction to this change so far, some notice is warranted, and will plan > to merge this or something like it for the next upload. Thanks! Bob
signature.asc
Description: Digital signature
