Univention Bugzilla – Full Text Bug Listing |
Summary: | Ship default sudo rules for domain admins | ||
---|---|---|---|
Product: | UCS | Reporter: | Tim Petersen <petersen> |
Component: | General | Assignee: | Daniel Tröder <troeder> |
Status: | CLOSED FIXED | QA Contact: | Philipp Hahn <hahn> |
Severity: | enhancement | ||
Priority: | P5 | CC: | gohmann, grandjean, hahn, requate |
Version: | UCS 4.0 | ||
Target Milestone: | UCS 4.1-0-errata | ||
Hardware: | Other | ||
OS: | Linux | ||
What kind of report is it?: | --- | What type of bug is this?: | --- |
Who will be affected by this bug?: | --- | How will those affected feel about the bug?: | --- |
User Pain: | Enterprise Customer affected?: | ||
School Customer affected?: | ISV affected?: | ||
Waiting Support: | Flags outvoted (downgraded) after PO Review: | ||
Ticket number: | Bug group (optional): | Roadmap discussion (moved) | |
Max CVSS v3 score: | |||
Attachments: |
univention-sudo.diff
Proposed changes - untested |
Description
Tim Petersen
2015-03-10 14:55:28 CET
A new package univention-sudo (in base) was added in r65879 and build to errata4.1-0. It will however not ship by default, because I was not sure if that is really wished. "sudo" is not part of the default UCS installation. "univention-sudo" is (currently) dependent on "sudo". * Should it be left like this? → mention in manual? * Should it be added to the default installation? → add to some meta-package * Should only the config, but not the sudo executable be installed by default? → remove sudo-dependency. → depending on decision, it might need a YAML # apt-cache show univention-sudo ... Description: This package installs default rules for the sudo command. ... <https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Description> Thanks - fixed in 1.0.0-1 (r66103). FAIL: no branches/ucs-4.1/ucs-4.1-0/doc/errata/staging/univention-sudo.yaml FAIL: rm debian/postinst (or rename to debian/univention-sudo.postinst if needed) FAIL: rm debian/univention-sudo.univention-config-registry-variables FAIL: patch debian/univention-sudo.univention-config-registry <<__PATCH__ --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry @@ -1,3 +1,6 @@ Type: file File: etc/sudoers.d/univention Variables: groups/default/domainadmins +User: root +Group: root +Mode: 0440 __PATCH__ FAIL: ucr set groups/default/domainadmins= > $ sudo -v > sudo: parse error in /etc/sudoers.d/univention near line 13 > sudo: no valid sudoers sources found, quitting Please skip printing anything if set to empty. FAIL: conffiles/etc/sudoers.d/univention The escaping is incomplete; see `man sudoers` → "Other special characters and reserved words": > The following characters must be escaped with a backslash (‘\’) when used as part of a word (e.g. a user > name or host name): ‘!’, ‘=’, ‘:’, ‘,’, ‘(’, ‘)’, ‘\’. OK: r65879 r66103 Created attachment 7347 [details]
univention-sudo.diff
Applied patch, added YAML: 66117 New build: 1.0.0-2.3.201512071007 (yaml update r66118). (In reply to Daniel Tröder from comment #6) > Applied patch, added YAML: 66117 OK > New build: 1.0.0-2.3.201512071007 (yaml update r66118). OK TODO: add univention-sudo to univention-dvd/tasks/ucs410/task-ucs410 TODO: add univention-sudo as a recommends of univention-pam (or another default package like univention-server-role-common) to install it by default for new UCS-4.1 systems. TODO: add a UCRV 'auth/sudo' to enable the rules only for new installs. Created attachment 7352 [details]
Proposed changes - untested
Proposed patch applied (66421, 66422, 66423), packages build, errata-dvd build, it's in maintained now. Advisories for univention-pam and univention-sudo were added in r66424. OK: univention-pam=9.0.0-4.266.201512171301 OK: univention-sudo=1.0.0-3.4.201512170902 OK: ucr unset auth/sudo OK: ucr set auth/sudo=yes OK: stat /etc/sudoers.d/univention OK: r66421 r66422 r66423 r66424 r66427 r66428c OK: errata-announce -V --only-failed -BB univention-pam.yaml OK: errata-announce -V --only-failed -BB univention-sudo.yaml FIXED: univention-pam.yaml univention-sudo.yaml -> r66432 OK: su - Administrator / sudo -s |