Univention Bugzilla – Attachment 7352 Details for
Bug 37995
Ship default sudo rules for domain admins
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Proposed changes - untested
37995-sudo-Only-enable-for-new-installs.patch (text/plain), 7.70 KB, created by
Philipp Hahn
on 2015-12-08 10:48:49 CET
(
hide
)
Description:
Proposed changes - untested
Filename:
MIME Type:
Creator:
Philipp Hahn
Created:
2015-12-08 10:48:49 CET
Size:
7.70 KB
patch
obsolete
>From e47945a03562d4ed68c4455eddfc22ccee2497d4 Mon Sep 17 00:00:00 2001 >Message-Id: <e47945a03562d4ed68c4455eddfc22ccee2497d4.1449568005.git.hahn@univention.de> >From: Philipp Hahn <hahn@univention.de> >Date: Tue, 8 Dec 2015 10:44:03 +0100 >Subject: [PATCH] Bug #37995 sudo: Only enable for new installs >Organization: Univention GmbH, Bremen, Germany > >Allow members of "Domain Administrators" to use sudo. > >A this gives those users root privileges, enable it only on fresh >installs, not on upgrades! >--- > .../ucs-4.1-0/base/univention-dvd/debian/changelog | 6 +++++ > .../base/univention-dvd/tasks/ucs410/task-ucs410 | 1 + > .../ucs-4.1-0/base/univention-pam/debian/changelog | 6 +++++ > .../ucs-4.1-0/base/univention-pam/debian/control | 3 ++- > .../univention-pam/debian/univention-pam.postinst | 31 +++------------------- > .../conffiles/etc/sudoers.d/univention | 2 +- > .../base/univention-sudo/debian/changelog | 6 +++++ > ...ntion-sudo.univention-config-registry-variables | 5 ++++ > 8 files changed, 31 insertions(+), 29 deletions(-) > create mode 100644 branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables > >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog >index 5d8451f..9e6f375 100644 >--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/debian/changelog >@@ -1,3 +1,9 @@ >+univention-dvd (1.0.0-20) unstable; urgency=low >+ >+ * Bug #37995: Add univention-sudo >+ >+ -- Philipp Hahn <hahn@univention.de> Tue, 08 Dec 2015 10:43:11 +0100 >+ > univention-dvd (1.0.0-19) unstable; urgency=low > > * Bug #37006 : add univention-nagios-s4-connector >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 >index f10b7f6..70aa110 100644 >--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-dvd/tasks/ucs410/task-ucs410 >@@ -62,6 +62,7 @@ openssh-blacklist > python-univention-license > univention-nagios-client > univention-saml >+univention-sudo > screen > > univention-management-console-module-quota >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog >index 0b9ed8b..07372e9 100644 >--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/changelog >@@ -1,3 +1,9 @@ >+univention-pam (9.0.0-3) unstable; urgency=low >+ >+ * Bug #37995: Add sudo support >+ >+ -- Philipp Hahn <hahn@univention.de> Tue, 08 Dec 2015 10:34:13 +0100 >+ > univention-pam (9.0.0-2) unstable; urgency=low > > * Bug #24840: add dependency on german wordlist for cracklib >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control >index b6eb79e..bbcacdb 100644 >--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/control >@@ -22,7 +22,8 @@ Depends: ${misc:Depends}, > python-univention-lib (>= 3.0.26-14), > libnss-extrausers > Recommends: >- univention-home-mounter >+ univention-home-mounter, >+ univention-sudo, > Description: UCS - login configuration > This package contains the configuration for the pluggable > authentication modules (PAM) and the network name switch >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst >index 7340b29..32f7ea3 100644 >--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-pam/debian/univention-pam.postinst >@@ -39,18 +39,6 @@ ln -sf /etc/machine.secret /etc/libnss-ldap.secret > # /etc/pam_ldap.secret is required for rootbinddn in /etc/pam_ldap.conf > ln -sf /etc/machine.secret /etc/pam_ldap.secret > >-# Update to UCS 3.0, increase nscd cache sizes if pre 3.0 default values >-# are used. Bug #21358 >-if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 5.0.15-1; then >- if [ "$nscd_passwd_size" = "3001" -a "$nscd_group_size" = "3001" -a "$nscd_hosts_size" = "3001" ]; then >- univention-config-registry set \ >- nscd/passwd/size=6007 \ >- nscd/group/size=56003 \ >- nscd/hosts/size=6007 \ >- nscd/group/maxdbsize=62914560 >- fi >-fi >- > univention-config-registry set \ > nscd/passwd/size?6007 \ > nscd/group/size?56003 \ >@@ -114,13 +102,6 @@ if [ -e /etc/univention/templates/files/etc/pam.d/common-auth ]; then > rm /etc/univention/templates/files/etc/pam.d/common-auth > fi > >-if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 6.0.2-1; then >- if is_ucr_true nss/group/cachefile; then >- /usr/lib/univention-pam/ldap-group-to-file.py >- univention-config-registry set nscd/group/invalidate_cache_on_changes="false" >- fi >-fi >- > # Restart listener > if [ -x "/etc/init.d/univention-directory-listener" ] ; then > /etc/init.d/univention-directory-listener crestart >@@ -138,14 +119,10 @@ univention-config-registry set \ > 'security/limits/default/user/hard/nofile?32768' \ > 'security/limits/group/Domain Users/hard/nproc?1000' > >-# Bug #32415, can be removed after 4.0-0 >-if [ "$1" = configure -a -n "$2" ] && dpkg --compare-versions "$2" lt 8.0.1-2; then >- if [ -n "$security_limits_user_default_user_soft_nofile" ]; then >- ucr unset security/limits/user/default/user/soft/nofile >- fi >- if [ -n "$security_limits_user_default_user_hard_nofile" ]; then >- ucr unset security/limits/user/default/user/hard/nofile >- fi >+# Bug #37995: Enable sudo only on new UCS-4.1 installs >+if [ "$1" = configure ] && [ -n "$2" ] >+then >+ univention-config-registry set auth/sudo?yes > fi > > call_joinscript 11univention-pam.inst >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention >index 06233d6..67631d2 100644 >--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/conffiles/etc/sudoers.d/univention >@@ -4,7 +4,7 @@ > @!@ > import re > group = configRegistry.get("groups/default/domainadmins", "Domain Admins") >-if group: >+if group and configRegistry.is_true('auth/sudo'): > da = re.sub(r'([ !=:,()\\])', r'\\\1', group) > print "%{} ALL=(ALL:ALL) ALL".format(da) > @!@ >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog >index 435d589..4df36fb 100644 >--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/changelog >@@ -1,3 +1,9 @@ >+univention-sudo (1.0.0-3) unstable; urgency=low >+ >+ * Bug #37995: Only enable for new installs >+ >+ -- Philipp Hahn <hahn@univention.de> Tue, 08 Dec 2015 10:43:36 +0100 >+ > univention-sudo (1.0.0-2) unstable; urgency=low > > * move file permission from postinst to ucr conf, escape all forbidden >diff --git a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables >new file mode 100644 >index 0000000..cfe2c72 >--- /dev/null >+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry-variables >@@ -0,0 +1,5 @@ >+[auth/sudo] >+Description[de]=Erlaubt die sudo Regeln für Domänenadministratoren. >+Description[en]=Permits the sudo rules for domain administrators. >+Type=bool >+Categories=system-base >-- >2.1.4 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=7352">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 37995
:
7347
| 7352