Comment 1 Daniel Tröder 2015-11-24 16:04:37 CET

A new package univention-sudo (in base) was added in r65879 and build to errata4.1-0.

It will however not ship by default, because I was not sure if that is really wished. "sudo" is not part of the default UCS installation. "univention-sudo" is (currently) dependent on "sudo".

* Should it be left like this? → mention in manual?
* Should it be added to the default installation? → add to some meta-package
* Should only the config, but not the sudo executable be installed by default? → remove sudo-dependency.
→ depending on decision, it might need a YAML

Comment 2 Philipp Hahn 2015-12-01 12:53:15 CET

# apt-cache show univention-sudo
...
Description: This package installs default rules for the
 sudo command.
...

<https://www.debian.org/doc/debian-policy/ch-controlfields.html#s-f-Description>

Comment 3 Daniel Tröder 2015-12-04 09:37:27 CET

Thanks - fixed in 1.0.0-1 (r66103).

Comment 4 Philipp Hahn 2015-12-04 14:57:13 CET

FAIL: no branches/ucs-4.1/ucs-4.1-0/doc/errata/staging/univention-sudo.yaml
FAIL: rm debian/postinst (or rename to debian/univention-sudo.postinst if needed)
FAIL: rm debian/univention-sudo.univention-config-registry-variables
FAIL: patch debian/univention-sudo.univention-config-registry <<__PATCH__
--- a/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry
+++ b/branches/ucs-4.1/ucs-4.1-0/base/univention-sudo/debian/univention-sudo.univention-config-registry
@@ -1,3 +1,6 @@
 Type: file
 File: etc/sudoers.d/univention
 Variables: groups/default/domainadmins
+User: root
+Group: root
+Mode: 0440
__PATCH__

FAIL: ucr set groups/default/domainadmins=
> $ sudo -v
> sudo: parse error in /etc/sudoers.d/univention near line 13
> sudo: no valid sudoers sources found, quitting
Please skip printing anything if set to empty.

FAIL: conffiles/etc/sudoers.d/univention
The escaping is incomplete; see `man sudoers` → "Other special characters and reserved words":
> The following characters must be escaped with a backslash (‘\’) when used as part of a word (e.g. a user
> name or host name): ‘!’, ‘=’, ‘:’, ‘,’, ‘(’, ‘)’, ‘\’.

OK: r65879 r66103

Comment 5 Philipp Hahn 2015-12-04 15:10:03 CET

Created attachment 7347 [details]
univention-sudo.diff

Comment 6 Daniel Tröder 2015-12-07 10:09:22 CET

Applied patch, added YAML: 66117
New build: 1.0.0-2.3.201512071007 (yaml update r66118).

Comment 7 Philipp Hahn 2015-12-08 10:48:15 CET

(In reply to Daniel Tröder from comment #6)
> Applied patch, added YAML: 66117

OK

> New build: 1.0.0-2.3.201512071007 (yaml update r66118).

OK

TODO: add univention-sudo to univention-dvd/tasks/ucs410/task-ucs410
TODO: add univention-sudo as a recommends of univention-pam (or another default package like univention-server-role-common) to install it by default for new UCS-4.1 systems.
TODO: add a UCRV 'auth/sudo' to enable the rules only for new installs.

Comment 8 Philipp Hahn 2015-12-08 10:48:49 CET

Created attachment 7352 [details]
Proposed changes - untested

Comment 9 Daniel Tröder 2015-12-17 10:19:05 CET

Proposed patch applied (66421, 66422, 66423), packages build, errata-dvd build, it's in maintained now. Advisories for univention-pam and univention-sudo were added in r66424.

Comment 10 Philipp Hahn 2015-12-17 14:18:07 CET

OK: univention-pam=9.0.0-4.266.201512171301
OK: univention-sudo=1.0.0-3.4.201512170902
OK: ucr unset auth/sudo
OK: ucr set auth/sudo=yes
OK: stat /etc/sudoers.d/univention
OK: r66421 r66422 r66423 r66424 r66427 r66428c
OK: errata-announce -V --only-failed -BB univention-pam.yaml
OK: errata-announce -V --only-failed -BB univention-sudo.yaml
FIXED: univention-pam.yaml univention-sudo.yaml -> r66432
OK: su - Administrator / sudo -s

Comment 11 Arvid Requate 2015-12-22 16:04:38 CET

<http://errata.software-univention.de/ucs/4.1/37.html>

Comment 12 Arvid Requate 2015-12-22 16:11:11 CET

<http://errata.software-univention.de/ucs/4.1/42.html>