libsss-sudo.postinst clobbers local change to /etc/nsswitch.conf
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
sssd (Debian) |
Fix Released
|
Unknown
|
|||
sssd (Ubuntu) |
Fix Released
|
High
|
Andreas Hasenack | ||
Xenial |
Fix Released
|
Undecided
|
Andreas Hasenack | ||
Bionic |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
[Impact]
The libsss-sudo package insists on inserting a "sudoers: files sss" configuration line into /etc/nsswitch.conf at install time and every upgrade after that. If the line already exists and has no "sss" component, the postinst adds that.
This behavior ignores changes the user might have done. For example, some users remove "sss", like seen in bug #1249777. At the next upgrade, libsss-sudo will just add it back again.
The proposed fix here is already applied in debian and later ubuntu releases, and only triggers the nsswitch.conf check on first install.
[Test Case]
* Install libsss-sudo:
$ sudo apt install libsss-sudo
* Verify the sudoers line with sss was added to /etc/nsswitch.conf:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss
* Remove sss from that line, so it becomes:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files
* Reinstall the package (or upgrade to a package without the fix):
sudo apt install --reinstall libsss-sudo
* Without the fix, sss will be back:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss
* With the fixed package, the line will remain as you left it before, without sss:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files
[Regression Potential]
Someone could perhaps be surprised that reinstalling the package won't make it "work again", in the case they removed "sss" from the sudoers line in /etc/nsswitch.conf and expected a reinstallation to fix it.
[Other Info]
One could argue that if the user doesn't want to use sudo with sss, then why install libsss-sudo?
Related branches
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 30 lines (+10/-2)2 files modifieddebian/changelog (+7/-0)
debian/libsss-sudo.postinst (+3/-2)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
- Canonical Server packageset reviewers: Pending requested
-
Diff: 30 lines (+10/-2)2 files modifieddebian/changelog (+7/-0)
debian/libsss-sudo.postinst (+3/-2)
- Christian Ehrhardt (community): Approve
- Canonical Server: Pending requested
-
Diff: 230 lines (+162/-1)2 files modifieddebian/changelog (+160/-0)
debian/control (+2/-1)
Changed in sssd (Debian): | |
status: | Unknown → New |
Changed in sssd (Ubuntu): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | Triaged → In Progress |
Changed in sssd (Ubuntu): | |
status: | In Progress → Fix Committed |
Changed in sssd (Debian): | |
status: | New → Fix Released |
tags: | added: bitesize |
tags: | added: server-next |
Changed in sssd (Ubuntu Xenial): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in sssd (Ubuntu Bionic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in sssd (Ubuntu Xenial): | |
status: | Confirmed → In Progress |
Changed in sssd (Ubuntu Bionic): | |
status: | Confirmed → In Progress |
description: | updated |
description: | updated |
Debian bug link: https:/ /bugs.debian. org/cgi- bin/bugreport. cgi?bug= 903917