Univention Bugzilla – Bug 37995
Ship default sudo rules for domain admins
Last modified: 2015-12-22 16:11:11 CET
We should ship wide sudo rules for "domain admins" per default.
A new package univention-sudo (in base) was added in r65879 and build to errata4.1-0. It will however not ship by default, because I was not sure if that is really wished. "sudo" is not part of the default UCS installation. "univention-sudo" is (currently) dependent on "sudo". * Should it be left like this? → mention in manual? * Should it be added to the default installation? → add to some meta-package * Should only the config, but not the sudo executable be installed by default? → remove sudo-dependency. → depending on decision, it might need a YAML
# apt-cache show univention-sudo ... Description: This package installs default rules for the sudo command. ... <https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Description>
Thanks - fixed in 1.0.0-1 (r66103).
FAIL: no branches/ucs-4.1/ucs-4.1-0/doc/errata/staging/univention-sudo.yaml FAIL: rm debian/postinst (or rename to debian/univention-sudo.postinst if needed) FAIL: rm debian/univention-sudo.univention-config-registry-variables FAIL: patch debian/univention-sudo.univention-config-registry <<__PATCH__ --- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry +++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry @@ -1,3 +1,6 @@ Type: file File: etc/sudoers.d/univention Variables: groups/default/domainadmins +User: root +Group: root +Mode: 0440 __PATCH__ FAIL: ucr set groups/default/domainadmins= > $ sudo -v > sudo: parse error in /etc/sudoers.d/univention near line 13 > sudo: no valid sudoers sources found, quitting Please skip printing anything if set to empty. FAIL: conffiles/etc/sudoers.d/univention The escaping is incomplete; see `man sudoers` → "Other special characters and reserved words": > The following characters must be escaped with a backslash (‘\’) when used as part of a word (e.g. a user > name or host name): ‘!’, ‘=’, ‘:’, ‘,’, ‘(’, ‘)’, ‘\’. OK: r65879 r66103
Created attachment 7347 [details] univention-sudo.diff
Applied patch, added YAML: 66117 New build: 1.0.0-2.3.201512071007 (yaml update r66118).
(In reply to Daniel Tröder from comment #6) > Applied patch, added YAML: 66117 OK > New build: 1.0.0-2.3.201512071007 (yaml update r66118). OK TODO: add univention-sudo to univention-dvd/tasks/ucs410/task-ucs410 TODO: add univention-sudo as a recommends of univention-pam (or another default package like univention-server-role-common) to install it by default for new UCS-4.1 systems. TODO: add a UCRV 'auth/sudo' to enable the rules only for new installs.
Created attachment 7352 [details] Proposed changes - untested
Proposed patch applied (66421, 66422, 66423), packages build, errata-dvd build, it's in maintained now. Advisories for univention-pam and univention-sudo were added in r66424.
OK: univention-pam=9.0.0-4.266.201512171301 OK: univention-sudo=1.0.0-3.4.201512170902 OK: ucr unset auth/sudo OK: ucr set auth/sudo=yes OK: stat /etc/sudoers.d/univention OK: r66421 r66422 r66423 r66424 r66427 r66428c OK: errata-announce -V --only-failed -BB univention-pam.yaml OK: errata-announce -V --only-failed -BB univention-sudo.yaml FIXED: univention-pam.yaml univention-sudo.yaml -> r66432 OK: su - Administrator / sudo -s
<http://errata.software-univention.de/ucs/4.1/37.html>
<http://errata.software-univention.de/ucs/4.1/42.html>