Control: tags -1 + patch
On Sat, 24 Jan 2015 12:05:52 +0100 Andreas Beckmann <a...@debian.org> wrote:
> The upgrade to jessie with sudo-ldap/jessie went smooth, and thereafter
> I wanted to switch to sudo/jessie, which failed due to missing
> /etc/sudoers, the problem is reproducible in plain jessie, too:
>
> # apt-get install sudo
<snip>
> WARNING: /etc/sudoers not present!
> chown: cannot access '/etc/sudoers': No such file or directory
> dpkg: error processing package sudo (--configure):
> subprocess installed post-installation script returned error exit status 1
> Errors were encountered while processing:
> sudo
> E: Sub-process /usr/bin/dpkg returned an error code (1)
The problem stems from the solution used to avoid an unnecessary action
prompt for a conffile change when in fact there was no change. See bugs
#636049, #612532, #660594.
1. Each respective preinst checks, via md5sum, if /etc/sudoers has
changed. Iff not, it is moved to a temporary location at
/etc/sudoers.pre-conffile.
2. Each respective postinst checks whether /etc/sudoers is present,
and warns if it isn't (see WARNING quoted above).
3. Then follows an unconditional chown of /etc/sudoers, and when this
fails, postinst aborts because of set -e.
This is the first problem. It is of course possible for this file to be
generally absent (it's a conffile, and the user might have forcefully
removed it), so this chown should be guarded by a test for existence.
3. Later on, there is an attempted to remove the temporarily
renamed /etc/sudoers.pre-conffile mentioned above:
> # if we've gotten this far .. remove the saved, unchanged old sudoers file
> rm -f /etc/sudoers.pre-conffile
This I don't understand. Why remove it? This file can only exist because
of step 1. above, and if it exists, the purpose was to just temporarily
move it out of the way to avoid a conffile-change question. Why is it
being removed now? Shouldn't it just be moved back in step 2.?
Please find attached a debdiff against the version in t-p-u that
A. Makes the chmod/chown conditional on the existence of /etc/sudoers
B. When /etc/sudoers.pre-conffile exists, moves it back to
/etc/sudoers. This is done unconditionally since the very
existence of /etc/sudoers.pre-conffile implies that it is the
pristine package version (recall the md5sum check above). So
the user did not delete or change /etc/sudoers, and we want it
back.
I'm confident that change A. is correct and necessary, but change B.
depends on whether I understood the problem the code is trying to solve
correctly!
I tested this with various combinations (pristine, changed, deleted
/etc/sudoers), and TTBOMYK the result is policy-conform. Additional
testing would be highly appreciated, though.
Regards,
Christian
diff -Nru sudo-1.8.10p3/debian/changelog sudo-1.8.10p3/debian/changelog
--- sudo-1.8.10p3/debian/changelog 2015-01-19 06:56:53.000000000 +0100
+++ sudo-1.8.10p3/debian/changelog 2015-01-28 23:46:41.000000000 +0100
@@ -1,3 +1,13 @@
+sudo (1.8.10p3-1+deb8u2) testing-proposed-updates; urgency=medium
+
+ * Non-maintainer upload.
+ * Make sure that /etc/sudoers exists before attempting to chown/chmod it.
+ * When switching between sudo and sudo-ldap, move an unchanged, temporarily
+ renamed /etc/sudoers back to its original location to complete the switch.
+ Closes: #776137
+
+ -- Christian Kastner <deb...@kvr.at> Wed, 28 Jan 2015 23:39:59 +0100
+
sudo (1.8.10p3-1+deb8u1) testing-proposed-updates; urgency=medium
* Non-maintainer upload.
diff -Nru sudo-1.8.10p3/debian/sudo-ldap.postinst
sudo-1.8.10p3/debian/sudo-ldap.postinst
--- sudo-1.8.10p3/debian/sudo-ldap.postinst 2014-09-14 18:26:06.000000000
+0200
+++ sudo-1.8.10p3/debian/sudo-ldap.postinst 2015-01-28 23:39:55.000000000
+0100
@@ -8,6 +8,11 @@
rm /etc/alternatives/sudo
fi
+# if the saved, unchanged old sudoers file exists, move it back
+if [ -f /etc/sudoers.pre-conffile ];then
+ mv /etc/sudoers.pre-conffile /etc/sudoers
+fi
+
# complain if no sudoers file is present
if [ ! -f /etc/sudoers ];then
echo "WARNING: /etc/sudoers not present!";
@@ -28,8 +33,10 @@
fi
# make sure sudoers has the correct permissions and owner/group
-chown root:root /etc/sudoers
-chmod 440 /etc/sudoers
+if [ -f /etc/sudoers ];then
+ chown root:root /etc/sudoers
+ chmod 440 /etc/sudoers
+fi
# create symlink to ease transition to new path for ldap config
# if old config file exists and new one doesn't
@@ -37,9 +44,6 @@
ln -s ldap/ldap.conf /etc/sudo-ldap.conf
fi
-# if we've gotten this far .. remove the saved, unchanged old sudoers file
-rm -f /etc/sudoers.pre-conffile
-
# make sure we have a sudo group
[ -n "`getent group sudo`" ] && exit 0 # we're finished if there is a group
sudo:
diff -Nru sudo-1.8.10p3/debian/sudo.postinst sudo-1.8.10p3/debian/sudo.postinst
--- sudo-1.8.10p3/debian/sudo.postinst 2014-09-14 18:26:06.000000000 +0200
+++ sudo-1.8.10p3/debian/sudo.postinst 2015-01-28 23:39:56.000000000 +0100
@@ -8,6 +8,11 @@
rm /etc/alternatives/sudo
fi
+# if the saved, unchanged old sudoers file exists, move it back
+if [ -f /etc/sudoers.pre-conffile ];then
+ mv /etc/sudoers.pre-conffile /etc/sudoers
+fi
+
# complain if no sudoers file is present
if [ ! -f /etc/sudoers ];then
echo "WARNING: /etc/sudoers not present!";
@@ -22,11 +27,10 @@
fi
# make sure sudoers has the correct permissions and owner/group
-chown root:root /etc/sudoers
-chmod 440 /etc/sudoers
-
-# if we've gotten this far .. remove the saved, unchanged old sudoers file
-rm -f /etc/sudoers.pre-conffile
+if [ -f /etc/sudoers ];then
+ chown root:root /etc/sudoers
+ chmod 440 /etc/sudoers
+fi
# make sure we have a sudo group
