Overview
Request 1127894 superseded
- Package/ship empty /etc/sudoers.d directory for admins to
discover where to put their won config.
- Introduce optional wheel and sudo group policies as separate packages
(bsc#1203978, jsc#PED-260)
- Install config files into /usr/etc and read from both location:
/etc and /usr/etc (bsc#1205118)
- Created by ohollmann
- In state superseded
- Supersedes 1114990
- Superseded by 1128361
- Open review for openSUSE:Factory:Staging:J
We should probably ship an empty /etc/sudoers.d even when our package installs files to /usr/etc - this would help users to discover that directory and hint at where to put their own snippets
in case confdir is /usr/etc, this results in a %config file in /usr - which rpmlint rightly remarks too:
sudo.s390x: W: non-etc-or-var-file-marked-as-conffile /usr/etc/sudo.conf sudo.s390x: W: non-etc-or-var-file-marked-as-conffile /usr/etc/sudo_logsrvd.conf
Curious: with the ALL ALL=(ALL) ALL still present in the main config file: doesn't that open gates to 'sudo as any user asking for own password' ? That's unlikely to be intentional
of course this was also possible in the old config - but one had to become root first (using root pw) and the sudo as any random user.
The new setup allows a wheel user to sudo -u xxx foo afaict
I should read the whole file :) - only root permitted (time for weekend - or less brainy work)
[ 65s] sudo-policy-sudo-auth-self.x86_64: E: polkit-file-unauthorized (Badness: 10000) /usr/share/polkit-1/rules.d/51-sudo.rules (sha256 file digest default filter:f771f054dff80233218bb658419bed786dfc30ca35ea0d3cd1ed4855be8ae4fd shell filter:f771f054dff80233218bb658419bed786dfc30ca35ea0d3cd1ed4855be8ae4fd xml filter:<failed-to-calculate>) [ 65s] sudo-policy-wheel-auth-self.x86_64: E: polkit-file-unauthorized (Badness: 10000) /usr/share/polkit-1/rules.d/51-wheel.rules (sha256 file digest default filter:6fa951c8cb81606a10bd82e6ef8e260e98cc84e68e9a49310a8a670889e31b4d shell filter:6fa951c8cb81606a10bd82e6ef8e260e98cc84e68e9a49310a8a670889e31b4d xml filter:<failed-to-calculate>) [ 65s] Packaging polkit rules requires a review and whitelisting by the SUSE security [ 65s] team. If the package is intended for inclusion in any SUSE product please open [ 65s] a bug report to request review of the package by the security team. Please [ 65s] refer to [ 65s] https://en.opensuse.org/openSUSE:Package_security_guidelines#audit_bugs for [ 65s] more information.
I'm wondering if the whitelist for this has been requested?
It was discussed in bug bsc#1215652. Is it sufficient or who should I contact?
There is a new issue with this, ceph is failing at rpmlint tests with:
[ 6164s] ceph-base-16.2.14.66+g7aa6ce9419f-2.8.x86_64.rpm: directories not owned by a package: [ 6164s] - /etc/sudoers.d
cc: @fbonazzi
wrong @, @ohollmann can you address the comments below
@fbonazzi he should get the comments of his SR (unless he disabled notifications, a different issue). I was cc'ing you to keep in the loop because this is holding your rpmlint SR
ah cheers, my bad. we had reviewed these sudo changes originally so I thought that was why you were involving me. makes sense thanks
Request History
ohollmann created request
- Package/ship empty /etc/sudoers.d directory for admins to
discover where to put their won config.
- Introduce optional wheel and sudo group policies as separate packages
(bsc#1203978, jsc#PED-260)
- Install config files into /usr/etc and read from both location:
/etc and /usr/etc (bsc#1205118)
factory-auto added opensuse-review-team as a reviewer
Please review sources
factory-auto accepted review
Check script succeeded
licensedigger accepted review
ok
anag+factory set openSUSE:Factory:Staging:J as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:J"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:J"
dimstar accepted review
anag+factory added factory-staging as a reviewer
Being evaluated by group "factory-staging"
anag+factory accepted review
Unstaged from project "openSUSE:Factory:Staging:J"
anag+factory set openSUSE:Factory:Staging:J as a staging project
Being evaluated by staging project "openSUSE:Factory:Staging:J"
anag+factory accepted review
Picked "openSUSE:Factory:Staging:J"
- Update to 1.9.15p2:
* Fixed a bug on BSD systems where sudo would not restore the
terminal settings on exit if the terminal had parity enabled.
GitHub issue #326.
- Update to 1.9.15p1:
* Fixed a bug introduced in sudo 1.9.15 that prevented LDAP-based
sudoers from being able to read the ldap.conf file.
GitHub issue #325.
- Update to 1.9.15:
* Fixed an undefined symbol problem on older versions of macOS
when "intercept" or "log_subcmds" are enabled in sudoers.
GitHub issue #276.
* Fixed "make check" failure related to getpwent(3) wrapping
on NetBSD.
* Fixed the warning message for "sudo -l command" when the command
is not permitted. There was a missing space between "list" and
the actual command due to changes in sudo 1.9.14.
* Fixed a bug where output could go to the wrong terminal if
"use_pty" is enabled (the default) and the standard input, output
or error is redirected to a different terminal. Bug #1056.
* The visudo utility will no longer create an empty file when the
specified sudoers file does not exist and the user exits the
editor without making any changes. GitHub issue #294.
* The AIX and Solaris sudo packages on www.sudo.ws now support
"log_subcmds" and "intercept" with both 32-bit and 64-bit
binaries. Previously, they only worked when running binaries
with the same word size as the sudo binary. GitHub issue #289.
* The sudoers source is now logged in the JSON event log. This
makes it possible to tell which rule resulted in a match.
* Running "sudo -ll command" now produces verbose output that
