latest natty sudo upgrade prompts for conffile update and potentially removes %admin from /etc/sudoers

Bug #690873 reported by Dustin Kirkland  on 2010-12-15
This bug affects 15 people
Affects Status Importance Assigned to Milestone
sudo (Ubuntu)
Canonical Foundations Team
Canonical Foundations Team

Bug Description

Binary package hint: sudo

Configuration file /etc/sudoers has changed:

Setting up sudo (1.7.4p4-5ubuntu1) ...

Configuration file `/etc/sudoers'
 ==> File on system created by you or by a script.
 ==> File also in package provided by package maintainer.
   What would you like to do about it ? Your options are:
    Y or I : install the package maintainer's version
    N or O : keep your currently-installed version
      D : show the differences between the versions
      Z : start a shell to examine the situation
 The default action is to keep your current version.
*** sudoers (Y/I/N/O/D/Z) [default=N] ?

Looking at the diff...

--- /etc/sudoers 2010-12-13 12:09:29.000000000 -0600
+++ /etc/sudoers.dpkg-new 2010-12-15 14:46:00.000000000 -0600
@@ -1,10 +1,11 @@
-# /etc/sudoers
 # This file MUST be edited with the 'visudo' command as root.
+# Please consider adding local content in /etc/sudoers.d/ instead of
+# directly modifying this file.
 # See the man page for details on how to write a sudoers file.
 Defaults env_reset

 # Host alias specification
@@ -14,14 +15,9 @@
 # Cmnd alias specification

 # User privilege specification
-root ALL=(ALL) ALL

 # Allow members of group sudo to execute any command
-# (Note that later entries override this, so you might need to move
-# it further down)
-%sudo ALL=(ALL) ALL
-#includedir /etc/sudoers.d
+%sudo ALL=(ALL:ALL) ALL

-# Members of the admin group may gain root privileges
-%admin ALL=(ALL) ALL
+#includedir /etc/sudoers.d

The part that really, really, really sucks is -%admin ALL=(ALL) ALL. That will remove sudo privileges from your admin user. Very likely, you your very self.

This needs to be fixed ASAP.

Related branches

Changed in sudo (Ubuntu):
status: New → Triaged
importance: Undecided → Critical
Dustin Kirkland  (kirkland) wrote :

Looks like Debian has made /etc/sudoers a conffile, when it wasn't one before.

Kees Cook (kees) wrote :

Seems like the %admin stanza needs to ship in /etc/sudoers.d/ now (d-i, ubiquity), and the postinst needs to migrate it sanely to avoid this conffile conflict on upgrade.

Dustin Kirkland  (kirkland) wrote :

As a short term workaround (perhaps even long term solution?), Ubuntu's sudo package's debian/sudoers probably needs "%admin ALL=(ALL) ALL" in there, to preserve sanity.

Kees Cook (kees) wrote :

I've uploaded an ubuntu2 that adds %admin to the shipped sudoers file, which will workaround the loss of sudo when people hit "Y". This bug still needs more fixing, but it requires some thought on how to build an appropriate preinst script to handle the many cases of /etc/sudoers content, since it's traditionally been generated through a combination of the postinst-installed sudoers file and d-i/ubiquity adding the %admin line.

Kees Cook (kees) on 2010-12-16
summary: - latest natty sudo upgrade removes admin from /etc/sudoers
+ latest natty sudo upgrade prompts for conffile update and potentially
+ removes %admin from /etc/sudoers
Loïc Minier (lool) wrote :

The sudoers.d/README claims that sudoers isn't a conffile, but it is; also, this README is actually parsed by sudo.

(I recall sudoers being both a conffile AND updated in postinst in the past, but that appears to no longer be the case)

If we move to a sudoers.d file for Ubuntu's %admin entry, then we need to fix upgrades to actually add the #includedir directive as README also claims that it is NOT added on upgrades. (To me, this seems a bad idea: the package adds a helpful sudoers.d facility, but doesn't ensure that it's actually working across upgrades.....)

Loïc Minier (lool) wrote :

I'm lowering severity a bit as a workaround as been uploaded in natty already, so it doesn't break upgrades anymore, it's just a prompt we need to get rid of

Changed in sudo (Ubuntu Natty):
importance: Critical → High
Lorenzo De Liso (blackz) wrote :

Now that sudo in Debian has a conffile, can't we let sudo adding that line?

Michael Vogt (mvo) on 2011-01-07
Changed in sudo (Ubuntu Natty):
milestone: none → ubuntu-11.04-beta
tags: added: iso-testing
Michael Vogt (mvo) on 2011-02-03
tags: added: natty
Changed in sudo (Ubuntu Natty):
assignee: nobody → Canonical Foundations Team (canonical-foundations)
Michael Vogt (mvo) wrote :

I'm looking at this currently.

The default sudoers from the package does not contain the %admin line and has the following md5sum:
   360f70ce177a300375555cf5b4f61b84 /etc/sudoers
Because our default sudoers now has %admin in it we trigger the conffile prompt on upgrade. This is
the first case that needs to be handled (e.g. for chroots and similar systems).

When ubuntu-vm-builder is used, it create a sudoers file like this:
   b66718709de786a59279ad12d1940774 /etc/sudoers
This is the one we need for e.g. VM upgrades.

The template for the sudoers file in vmbuilder looks like this but can be ignored as "cheetah" renders it in a way that makes
it result in the above md5sum on the clients (just for ref the template 8e8cc1f27fc80ac6fc33ccfab60c0c4d /etc/sudoers).

When a (slightly dated) natty install with the current sudo (with the %admin line in sudoers) the admin line is added again, resulting in:
   d078f15745d795ae04b7301ca584715d /etc/sudoers

A regular maverick install has:
   2c6b4653d46ac9416faa08b1b8f24fe5 /etc/sudoers

The live-cd sudoers are slightly different (because they have NOPASSWD in).

This is a bit of a mess.

Marc Deslauriers (mdeslaur) wrote :

The only sane way to handle this, IMHO, is to revert the change in (1.7.4p4-5) that made sudoers a conffile.

Michael Vogt (mvo) wrote :

Here is my approach for a fix. It takes the known default /etc/sudoers and if one of them is found
overwrites with the new default. This ensures we don't get a prompt (and also that we will not get
one in the future unless the user really modifies the conffile).

If the file is modified then the dpkg conffile prompt is triggered, but thats fine, the user modified it afterall.

Michael Vogt (mvo) wrote :

The patch is a outline of the fix currently it needs:
- removal of the echo output (this is just for me)
- more md5sums of older releases to ensure we have a reasonable coverage

Marc Deslauriers (mdeslaur) wrote :

Ah, that's a nice fix...better than reverting the change!

Michael Vogt (mvo) wrote :

Colin suggested to strip whitespace and comments. I added code for this now to reduce the number of md5sums to check.

Please note that just removing "^#" is not good enough, "#include" and "#includedir" have special meanings, same
for "#" in username context. I decided to therefore go with a very conservative approach and kill only ^#$ and ^#[[::space:]]+$

Michael Vogt (mvo) wrote :

Here is the proposed final version. I do a quick check against dappers sudoers file still, but the approach should be good now.

tags: added: patch
Michael Vogt (mvo) on 2011-03-24
Changed in sudo (Ubuntu Natty):
status: Triaged → In Progress
Michael Vogt (mvo) wrote :

I tested the final version and it seems to be fine. Feedback welcome, if I don't hear anything, I will upload tomorrow early morning (in +9h).

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.4p4-5ubuntu5

sudo (1.7.4p4-5ubuntu5) natty; urgency=low

  * debian/sudo.preinst:
    - avoid conffile prompt by checking for known default /etc/sudoers
      and if found installing the correct default /etc/sudoers file
      (LP: #690873)
 -- Michael Vogt <email address hidden> Fri, 25 Mar 2011 09:13:43 +0100

Changed in sudo (Ubuntu Natty):
status: In Progress → Fix Released
Ori Avtalion (salty-horse) wrote :

Loïc Minier wrote on 2010-12-16: #6
>The sudoers.d/README claims that sudoers isn't a conffile, but it is; also, this README is actually parsed by sudo.

This claim has been removed from the debian package:;a=commitdiff;h=d2bea82818b233f7b68ae4263c3c0c5f8abd7ac9

brian mullan (bmullan) wrote :

I just installed 11.04 released version and Synaptic won't accept passwords if launched with gksu from the menu but will if synaptic is launched with sudo from the command line

Are you sure this bug ever fixed for the release?

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers