Univention Bugzilla – Bug 37995
Ship default sudo rules for domain admins
Last modified: 2015-12-22 16:11:11 CET
We should ship wide sudo rules for "domain admins" per default.
A new package univention-sudo (in base) was added in r65879 and build to errata4.1-0.
It will however not ship by default, because I was not sure if that is really wished. "sudo" is not part of the default UCS installation. "univention-sudo" is (currently) dependent on "sudo".
* Should it be left like this? → mention in manual?
* Should it be added to the default installation? → add to some meta-package
* Should only the config, but not the sudo executable be installed by default? → remove sudo-dependency.
→ depending on decision, it might need a YAML
# apt-cache show univention-sudo
Description: This package installs default rules for the
Thanks - fixed in 1.0.0-1 (r66103).
FAIL: no branches/ucs-4.1/ucs-4.1-0/doc/errata/staging/univention-sudo.yaml
FAIL: rm debian/postinst (or rename to debian/univention-sudo.postinst if needed)
FAIL: rm debian/univention-sudo.univention-config-registry-variables
FAIL: patch debian/univention-sudo.univention-config-registry <<__PATCH__
@@ -1,3 +1,6 @@
FAIL: ucr set groups/default/domainadmins=
> $ sudo -v
> sudo: parse error in /etc/sudoers.d/univention near line 13
> sudo: no valid sudoers sources found, quitting
Please skip printing anything if set to empty.
The escaping is incomplete; see `man sudoers` → "Other special characters and reserved words":
> The following characters must be escaped with a backslash (‘\’) when used as part of a word (e.g. a user
> name or host name): ‘!’, ‘=’, ‘:’, ‘,’, ‘(’, ‘)’, ‘\’.
OK: r65879 r66103
Created attachment 7347 [details]
Applied patch, added YAML: 66117
New build: 1.0.0-2.3.201512071007 (yaml update r66118).
(In reply to Daniel Tröder from comment #6)
> Applied patch, added YAML: 66117
> New build: 1.0.0-2.3.201512071007 (yaml update r66118).
TODO: add univention-sudo to univention-dvd/tasks/ucs410/task-ucs410
TODO: add univention-sudo as a recommends of univention-pam (or another default package like univention-server-role-common) to install it by default for new UCS-4.1 systems.
TODO: add a UCRV 'auth/sudo' to enable the rules only for new installs.
Created attachment 7352 [details]
Proposed changes - untested
Proposed patch applied (66421, 66422, 66423), packages build, errata-dvd build, it's in maintained now. Advisories for univention-pam and univention-sudo were added in r66424.
OK: ucr unset auth/sudo
OK: ucr set auth/sudo=yes
OK: stat /etc/sudoers.d/univention
OK: r66421 r66422 r66423 r66424 r66427 r66428c
OK: errata-announce -V --only-failed -BB univention-pam.yaml
OK: errata-announce -V --only-failed -BB univention-sudo.yaml
FIXED: univention-pam.yaml univention-sudo.yaml -> r66432
OK: su - Administrator / sudo -s