[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: permissions/sudo/sudoers

Kevin Chadwick wrote:
> Personally I think it would be great if package devs added perhaps
> commented by default lines sudoers or to a file in sudoers.d 

This compelled me to reply.  The problem with commented template files
is that if you change the file then upon every package upgrade the
file is presented to you to select either the package file, the local
file, or to merge the files.  This is done even if the changes are
only comments.  This is done because the local file is different than
the packaged file.  This creates work that is unnecessary.

For this reason I hate commented template files installed by a package
where you must edit that file for normal operations.  It creates
unnecessary work.  Yet I see users requesting this problem to be
created often.

In the case of the recent sudo there is the /etc/sudoers.d/* files and
I always create a new uniquely named local file there for my
configuration and I no longer edit the /etc/sudoers file.  This is
also a pain because it means I can't use the default 'visudo' to edit
the file.  (Use 'visudo -f /etc/sudoers.d/local-foo' explicitly.)  But
it makes upgrades easier so I do it this way.

But the problem of modified conffiles is why I (and I assume the
others) suggested using the 'sudo' group instead.  Because doing that
will avoid any edits to any conffiles.  And therefore avoids any work
for subsequent upgrades.  It is an imperfect solution to a problem.

> There is no need for groups and logging back in for the average system
> and sudoers changes take immediate effect whereas group changes don't.
> Though groups can be handy. Sudo is much easier to use, encourages
> better programming and is more secure and more powerful than polkit
> partly due to being filesystem based and certainly less disruptive as
> it is simply a tool in the proper UNIX sense.

Note that Wheezy will be the first that Debian Stable sees sudo
1.8.2-1.  In that sudo version "secure_path" was introduced to the
/etc/sudoers file.  Anyone who has modified /etc/sudoers will get a
prompt at installation time asking them what they want to do about it.

If they select the new package file then their own local configuration
will be removed, possibly locking them out of the machine.  (They can
use rescue media to recover.)  If they select the local file then they
won't get a correct secure_path setting and when using sudo they will
report that PATH isn't set and that they need to use full paths.  The
*only* correct choice is to merge the package configuration including
secure_path with their local configuration changes.

I don't know how many people will do this correctly but we have
already seen many that did not when this rolled through Testing and I
am sure we will see many more when this rolls into Stable.  If users
don't understand sudo and are asking questions then they probably
won't understand at upgrade time either.  Setting them up to avoid
this problem is advantageous to all involved.  Which is the only
reason I suggest using the "sudo" group.  It is a compromise.


Attachment: signature.asc
Description: Digital signature

Reply to: