Bug 37995 - Ship default sudo rules for domain admins
Ship default sudo rules for domain admins
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: General
UCS 4.0
Other Linux
: P5 enhancement (vote)
: UCS 4.1-0-errata
Assigned To: Daniel Tröder
Philipp Hahn
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2015-03-10 14:55 CET by Tim Petersen
Modified: 2015-12-22 16:11 CET (History)
4 users (show)

See Also:
What kind of report is it?: ---
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number:
Bug group (optional): Roadmap discussion (moved)
Max CVSS v3 score:


Attachments
univention-sudo.diff (3.26 KB, patch)
2015-12-04 15:10 CET, Philipp Hahn
Details | Diff
Proposed changes - untested (7.70 KB, patch)
2015-12-08 10:48 CET, Philipp Hahn
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Petersen univentionstaff 2015-03-10 14:55:28 CET
We should ship wide sudo rules for "domain admins" per default.
Comment 1 Daniel Tröder univentionstaff 2015-11-24 16:04:37 CET
A new package univention-sudo (in base) was added in r65879 and build to errata4.1-0.

It will however not ship by default, because I was not sure if that is really wished. "sudo" is not part of the default UCS installation. "univention-sudo" is (currently) dependent on "sudo".

* Should it be left like this? → mention in manual?
* Should it be added to the default installation? → add to some meta-package
* Should only the config, but not the sudo executable be installed by default? → remove sudo-dependency.
→ depending on decision, it might need a YAML
Comment 2 Philipp Hahn univentionstaff 2015-12-01 12:53:15 CET
# apt-cache show univention-sudo
...
Description: This package installs default rules for the
 sudo command.
...

<https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Description>
Comment 3 Daniel Tröder univentionstaff 2015-12-04 09:37:27 CET
Thanks - fixed in 1.0.0-1 (r66103).
Comment 4 Philipp Hahn univentionstaff 2015-12-04 14:57:13 CET
FAIL: no branches/ucs-4.1/ucs-4.1-0/doc/errata/staging/univention-sudo.yaml
FAIL: rm debian/postinst (or rename to debian/univention-sudo.postinst if needed)
FAIL: rm debian/univention-sudo.univention-config-registry-variables
FAIL: patch debian/univention-sudo.univention-config-registry <<__PATCH__
--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry
+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry
@@ -1,3 +1,6 @@
 Type: file
 File: etc/sudoers.d/univention
 Variables: groups/default/domainadmins
+User: root
+Group: root
+Mode: 0440
__PATCH__

FAIL: ucr set groups/default/domainadmins=
> $ sudo -v
> sudo: parse error in /etc/sudoers.d/univention near line 13
> sudo: no valid sudoers sources found, quitting
Please skip printing anything if set to empty.

FAIL: conffiles/etc/sudoers.d/univention
The escaping is incomplete; see `man sudoers` → "Other special characters and reserved words":
> The following characters must be escaped with a backslash (‘\’) when used as part of a word (e.g. a user
> name or host name): ‘!’, ‘=’, ‘:’, ‘,’, ‘(’, ‘)’, ‘\’.

OK: r65879 r66103
Comment 5 Philipp Hahn univentionstaff 2015-12-04 15:10:03 CET
Created attachment 7347 [details]
univention-sudo.diff
Comment 6 Daniel Tröder univentionstaff 2015-12-07 10:09:22 CET
Applied patch, added YAML: 66117
New build: 1.0.0-2.3.201512071007 (yaml update r66118).
Comment 7 Philipp Hahn univentionstaff 2015-12-08 10:48:15 CET
(In reply to Daniel Tröder from comment #6)
> Applied patch, added YAML: 66117

OK

> New build: 1.0.0-2.3.201512071007 (yaml update r66118).

OK

TODO: add univention-sudo to univention-dvd/tasks/ucs410/task-ucs410
TODO: add univention-sudo as a recommends of univention-pam (or another default package like univention-server-role-common) to install it by default for new UCS-4.1 systems.
TODO: add a UCRV 'auth/sudo' to enable the rules only for new installs.
Comment 8 Philipp Hahn univentionstaff 2015-12-08 10:48:49 CET
Created attachment 7352 [details]
Proposed changes - untested
Comment 9 Daniel Tröder univentionstaff 2015-12-17 10:19:05 CET
Proposed patch applied (66421, 66422, 66423), packages build, errata-dvd build, it's in maintained now. Advisories for univention-pam and univention-sudo were added in r66424.
Comment 10 Philipp Hahn univentionstaff 2015-12-17 14:18:07 CET
OK: univention-pam=9.0.0-4.266.201512171301
OK: univention-sudo=1.0.0-3.4.201512170902
OK: ucr unset auth/sudo
OK: ucr set auth/sudo=yes
OK: stat /etc/sudoers.d/univention
OK: r66421 r66422 r66423 r66424 r66427 r66428c
OK: errata-announce -V --only-failed -BB univention-pam.yaml
OK: errata-announce -V --only-failed -BB univention-sudo.yaml
FIXED: univention-pam.yaml univention-sudo.yaml -> r66432
OK: su - Administrator / sudo -s
Comment 11 Arvid Requate univentionstaff 2015-12-22 16:04:38 CET
<http://errata.software-univention.de/ucs/4.1/37.html>
Comment 12 Arvid Requate univentionstaff 2015-12-22 16:11:11 CET
<http://errata.software-univention.de/ucs/4.1/42.html>