user prompted for sudo changes on upgrade in ec2/uec image

Bug #768625 reported by Scott Moser on 2011-04-21
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Undecided
Unassigned
sudo (Ubuntu)
Medium
Unassigned
Natty
Medium
Unassigned
Oneiric
Medium
Ubuntu Foundations Team

Bug Description

Binary package hint: sudo

This is a much less sever bug than bug 761689.

Instead of *not* being prompted, and being permanently locked out of sudo, the user is shown a prompt asking what to do about hte differences in sudo configuration, and suggesting they use sudo.d.

In the limited case of EC2/UEC images, we can recognize that they're using an unmodified sudo file and appropriately write a sudo.d entry for them.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: sudo 1.7.4p4-5ubuntu7
ProcVersionSignature: User Name 2.6.38-8.42-virtual 2.6.38.2
Uname: Linux 2.6.38-8-virtual i686
Architecture: i386
Date: Thu Apr 21 21:51:09 2011
Ec2AMI: ami-a6f504cf
Ec2AMIManifest: ubuntu-images-us/ubuntu-maverick-10.10-i386-server-20101225.manifest.xml
Ec2AvailabilityZone: us-east-1c
Ec2InstanceType: m1.small
Ec2Kernel: aki-407d9529
Ec2Ramdisk: unavailable
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: sudo
UpgradeStatus: Upgraded to natty on 2011-04-21 (0 days ago)

== natty release note ==
When upgrading a UEC Image to 11.04 on EC2 or UEC, the user will be prompted regarding changes to local file /etc/sudoers. Selecting "Accept the maintainer's version" will result in the 'ubuntu' user losing access to sudo. Instead, select the default response "keep your currently-installed version" (N).

== SRU Information ==
 * Impact: This bug affects upgrade from 10.10 to 11.04 on the "UEC Images" only. UEC Images come with a 'ubuntu' user pre-configured with passwordless sudo access. Upon upgrade of sudo, if the user selects "Accept the Maintainer's version" of the sudoers file, then they will lose sudo access entirely.
 * How Bug is addressed: The bug is fixed by modifying the pre-install script of sudo to recognize the particular md5sum of /etc/sudoers that exists in UEC images. If that md5sum is found, then the stock /etc/sudoers file is laid down, and the 'ubuntu user' specific sudoers stanza is written to /etc/sudoers.d/90-cloud-ubuntu .
 * Patch: The changes for this fix are available at http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/oneiric/sudo/oneiric/revision/49 .
 * Regression Potential: The regression potential here should be *very* low. The only time where different codepath will be taken is if /etc/sudoers has a known md5sum.
 * TEST CASE:
   * Launch an EC2 instance of 10.10.
   * ssh in as 'ubuntu@host'
   * enable -proposed
   * sudo apt-get update
   * sudo do-release-upgrade
   * The user will not be prompted for merge of /etc/sudoers
   * After upgrade, user still has passwordless sudo access.
   * Note: if the fix was not availale (ie, proposed not enabled) then the user will be prompted for merge of /etc/sudoers.

Related branches

Scott Moser (smoser) wrote :
Scott Moser (smoser) wrote :

Michael,
  I would appreciate your thoughts on this bug.

Scott Moser (smoser) on 2011-04-22
tags: added: server-nrs
Scott Moser (smoser) wrote :

The fix I'm proposing here is fairly simple.
  If the md5sum is one that was written by vm-builder for the UEC/Ec2 images, then do the right thing, and write a /etc/sudoers.d/ entry for the ubuntu user.

Changed in sudo (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in sudo (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Medium
Changed in sudo (Ubuntu Oneiric):
assignee: nobody → Ubuntu Foundations Team (ubuntu-foundations-team)
Scott Moser (smoser) on 2011-04-27
description: updated
Scott Moser (smoser) wrote :

The only thing I'm not clear on on this bug is what file naming convention we should be / are using in /etc/sudoers.d/. I selected
"uec-ubuntu-user", which probably isn't right.

A quick check of apt-file shows that at the moment in natty, only one file other than README is installed there (/etc/sudoers.d/nova_sudoers). I would suggest that is also a bad name, and that we should do something with
  XX-name
where XX is a 2 digit prefix.

Anyone have thoughts on that? I think it might make sense for this case to be:
 90-uec-ubuntu

Eric Hammond (esh) wrote :

Since "UEC" is a specific product and this is used with both UEC and EC2, should the name be more generic like "cloud" instead of "uec"?

On Thu, 5 May 2011, Eric Hammond wrote:

> Since "UEC" is a specific product and this is used with both UEC and
> EC2, should the name be more generic like "cloud" instead of "uec"?

I chose 'uec' simply because it is written by the "uec" image build
process.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.4p4-5ubuntu8

---------------
sudo (1.7.4p4-5ubuntu8) oneiric; urgency=low

  * debian/sudo.preinst:
    - if well-known ec2 vmbuilder file is found, write a file in
      sudoers.d for the 'ubuntu' user (LP: #768625)
 -- Scott Moser <email address hidden> Thu, 21 Apr 2011 18:04:34 -0400

Changed in sudo (Ubuntu Oneiric):
status: Confirmed → Fix Released
Michael Vogt (mvo) wrote :

I uploaded the fix into both oneiric and natty-proposed now. Please add SRU instructions to the bug description for the testers.

Changed in sudo (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Medium
Scott Moser (smoser) on 2011-05-24
description: updated

Accepted sudo into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in sudo (Ubuntu Natty):
status: In Progress → Fix Committed
tags: added: verification-needed
Scott Moser (smoser) wrote :

I followed the steps in the SRU information in the description with
us-east-1 ami-b2e811db ubuntu-oneiric-daily-amd64-server-20110601

I was not prompted for changes to the sudo file, and still able to 'sudo' without password as the ubuntu user.

tags: added: verification-done
removed: verification-needed
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.4p4-5ubuntu7.1

---------------
sudo (1.7.4p4-5ubuntu7.1) natty-proposed; urgency=low

  * debian/sudo.preinst:
    - if well-known ec2 vmbuilder file is found, write a file in
      sudoers.d for the 'ubuntu' user (LP: #768625)
 -- Scott Moser <email address hidden> Thu, 21 Apr 2011 18:04:34 -0400

Changed in sudo (Ubuntu Natty):
status: Fix Committed → Fix Released
Martin Pitt (pitti) wrote :

I think the release notes task is obsolete now.

Changed in ubuntu-release-notes:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers