Control: tags -1 + patch
On Sat, 24 Jan 2015 12:05:52 +0100 Andreas Beckmann <
an...@debian.org> wrote:
> The upgrade to jessie with sudo-ldap/jessie went smooth, and thereafter
> I wanted to switch to sudo/jessie, which failed due to missing
> /etc/sudoers, the problem is reproducible in plain jessie, too:
>
> # apt-get install sudo
<snip>
> WARNING: /etc/sudoers not present!
> chown: cannot access '/etc/sudoers': No such file or directory
> dpkg: error processing package sudo (--configure):
> subprocess installed post-installation script returned error exit status 1
> Errors were encountered while processing:
> sudo
> E: Sub-process /usr/bin/dpkg returned an error code (1)
The problem stems from the solution used to avoid an unnecessary action
prompt for a conffile change when in fact there was no change. See bugs
#636049, #612532, #660594.
1. Each respective preinst checks, via md5sum, if /etc/sudoers has
changed. Iff not, it is moved to a temporary location at
/etc/sudoers.pre-conffile.
2. Each respective postinst checks whether /etc/sudoers is present,
and warns if it isn't (see WARNING quoted above).
3. Then follows an unconditional chown of /etc/sudoers, and when this
fails, postinst aborts because of set -e.
This is the first problem. It is of course possible for this file to be
generally absent (it's a conffile, and the user might have forcefully
removed it), so this chown should be guarded by a test for existence.
3. Later on, there is an attempted to remove the temporarily
renamed /etc/sudoers.pre-conffile mentioned above:
> # if we've gotten this far .. remove the saved, unchanged old sudoers file
> rm -f /etc/sudoers.pre-conffile
This I don't understand. Why remove it? This file can only exist because
of step 1. above, and if it exists, the purpose was to just temporarily
move it out of the way to avoid a conffile-change question. Why is it
being removed now? Shouldn't it just be moved back in step 2.?
Please find attached a debdiff against the version in t-p-u that
A. Makes the chmod/chown conditional on the existence of /etc/sudoers
B. When /etc/sudoers.pre-conffile exists, moves it back to
/etc/sudoers. This is done unconditionally since the very
existence of /etc/sudoers.pre-conffile implies that it is the
pristine package version (recall the md5sum check above). So
the user did not delete or change /etc/sudoers, and we want it
back.
I'm confident that change A. is correct and necessary, but change B.
depends on whether I understood the problem the code is trying to solve
correctly!
I tested this with various combinations (pristine, changed, deleted
/etc/sudoers), and TTBOMYK the result is policy-conform. Additional
testing would be highly appreciated, though.
Regards,
Christian