latest natty sudo upgrade prompts for conffile update and potentially removes %admin from /etc/sudoers

Looks like Debian has made /etc/sudoers a conffile, when it wasn't one before.

Before:
 * http://pastebin.com/Sze9Yk3H

After:
 * http://pastebin.com/g1ghJNaX

Seems like the %admin stanza needs to ship in /etc/sudoers.d/ now (d-i, ubiquity), and the postinst needs to migrate it sanely to avoid this conffile conflict on upgrade.

As a short term workaround (perhaps even long term solution?), Ubuntu's sudo package's debian/sudoers probably needs "%admin ALL=(ALL) ALL" in there, to preserve sanity.

I've uploaded an ubuntu2 that adds %admin to the shipped sudoers file, which will workaround the loss of sudo when people hit "Y". This bug still needs more fixing, but it requires some thought on how to build an appropriate preinst script to handle the many cases of /etc/sudoers content, since it's traditionally been generated through a combination of the postinst-installed sudoers file and d-i/ubiquity adding the %admin line.

The sudoers.d/README claims that sudoers isn't a conffile, but it is; also, this README is actually parsed by sudo.

(I recall sudoers being both a conffile AND updated in postinst in the past, but that appears to no longer be the case)

If we move to a sudoers.d file for Ubuntu's %admin entry, then we need to fix upgrades to actually add the #includedir directive as README also claims that it is NOT added on upgrades. (To me, this seems a bad idea: the package adds a helpful sudoers.d facility, but doesn't ensure that it's actually working across upgrades.....)

I'm lowering severity a bit as a workaround as been uploaded in natty already, so it doesn't break upgrades anymore, it's just a prompt we need to get rid of

Now that sudo in Debian has a conffile, can't we let sudo adding that line?

I'm looking at this currently.

The default sudoers from the package does not contain the %admin line and has the following md5sum:
   360f70ce177a300375555cf5b4f61b84 /etc/sudoers
Because our default sudoers now has %admin in it we trigger the conffile prompt on upgrade. This is
the first case that needs to be handled (e.g. for chroots and similar systems).

When ubuntu-vm-builder is used, it create a sudoers file like this:
   b66718709de786a59279ad12d1940774 /etc/sudoers
This is the one we need for e.g. VM upgrades.

The template for the sudoers file in vmbuilder looks like this but can be ignored as "cheetah" renders it in a way that makes
it result in the above md5sum on the clients (just for ref the template 8e8cc1f27fc80ac6fc33ccfab60c0c4d /etc/sudoers).

When a (slightly dated) natty install with the current sudo (with the %admin line in sudoers) the admin line is added again, resulting in:
   d078f15745d795ae04b7301ca584715d /etc/sudoers

A regular maverick install has:
   2c6b4653d46ac9416faa08b1b8f24fe5 /etc/sudoers

The live-cd sudoers are slightly different (because they have NOPASSWD in).

This is a bit of a mess.

The only sane way to handle this, IMHO, is to revert the change in (1.7.4p4-5) that made sudoers a conffile.

Here is my approach for a fix. It takes the known default /etc/sudoers and if one of them is found
overwrites with the new default. This ensures we don't get a prompt (and also that we will not get
one in the future unless the user really modifies the conffile).

If the file is modified then the dpkg conffile prompt is triggered, but thats fine, the user modified it afterall.

The patch is a outline of the fix currently it needs:
- removal of the echo output (this is just for me)
- more md5sums of older releases to ensure we have a reasonable coverage

Ah, that's a nice fix...better than reverting the change!

Colin suggested to strip whitespace and comments. I added code for this now to reduce the number of md5sums to check.

Please note that just removing "^#" is not good enough, "#include" and "#includedir" have special meanings, same
for "#" in username context. I decided to therefore go with a very conservative approach and kill only ^#$ and ^#[[::space:]]+$

Here is the proposed final version. I do a quick check against dappers sudoers file still, but the approach should be good now.

I tested the final version and it seems to be fine. Feedback welcome, if I don't hear anything, I will upload tomorrow early morning (in +9h).

This bug was fixed in the package sudo - 1.7.4p4-5ubuntu5

---------------
sudo (1.7.4p4-5ubuntu5) natty; urgency=low

  * debian/sudo.preinst:
    - avoid conffile prompt by checking for known default /etc/sudoers
      and if found installing the correct default /etc/sudoers file
      (LP: #690873)
 -- Michael Vogt <email address hidden> Fri, 25 Mar 2011 09:13:43 +0100

Loïc Minier wrote on 2010-12-16: #6
>The sudoers.d/README claims that sudoers isn't a conffile, but it is; also, this README is actually parsed by sudo.

This claim has been removed from the debian package:
http://git.gag.com/?p=debian/sudo;a=commitdiff;h=d2bea82818b233f7b68ae4263c3c0c5f8abd7ac9

I just installed 11.04 released version and Synaptic won't accept passwords if launched with gksu from the menu but will if synaptic is launched with sudo from the command line

Are you sure this bug ever fixed for the release?