Debian Bug report logs - #536222
Please enable the %sudo example by default

Display info messages

Message #3 received at submit@bugs.debian.org (full text, mbox, reply):

From: Josh Triplett <josh@joshtriplett.org>

To: Debian Bug Tracking System <submit@bugs.debian.org>

Subject: Please enable the %sudo example by default

Date: Wed, 08 Jul 2009 03:40:56 -0700

Package: sudo
Version: 1.7.0-1
Severity: wishlist

sudo provides a default /etc/sudoers with a commented-out line to allow
members of group sudo to use sudo.  This represents a convenient
configuration: simply add users to group sudo to give them the ability
to run commands as root.

Given that group sudo has no users by default, please consider enabling
this example by default.  This should not reduce the security of the
default install, and it would remove one of the few remaining
configuration changes I have to make on every new Debian system I
install.

Furthermore, this change would make it easier to enable the use of sudo
by default in custom installers: just add the user to group sudo.

I searched for any previous discussion about making this change to sudo,
and didn't find anything; if I've missed something, please let me know.

- Josh Triplett

-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.30-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages sudo depends on:
ii  libc6                         2.9-19     GNU C Library: Shared libraries
ii  libpam-modules                1.0.1-9    Pluggable Authentication Modules f
ii  libpam0g                      1.0.1-9    Pluggable Authentication Modules l

sudo recommends no packages.

sudo suggests no packages.

-- no debconf information

Message #8 received at 536222-close@bugs.debian.org (full text, mbox, reply):

From: Bdale Garbee <bdale@gag.com>

To: 536222-close@bugs.debian.org

Subject: Bug#536222: fixed in sudo 1.7.2-1

Date: Wed, 15 Jul 2009 07:47:06 +0000

Source: sudo
Source-Version: 1.7.2-1

We believe that the bug you reported is fixed in the latest version of
sudo, which is due to be installed in the Debian FTP archive:

sudo-ldap_1.7.2-1_i386.deb
  to pool/main/s/sudo/sudo-ldap_1.7.2-1_i386.deb
sudo_1.7.2-1.diff.gz
  to pool/main/s/sudo/sudo_1.7.2-1.diff.gz
sudo_1.7.2-1.dsc
  to pool/main/s/sudo/sudo_1.7.2-1.dsc
sudo_1.7.2-1_i386.deb
  to pool/main/s/sudo/sudo_1.7.2-1_i386.deb
sudo_1.7.2.orig.tar.gz
  to pool/main/s/sudo/sudo_1.7.2.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 536222@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Bdale Garbee <bdale@gag.com> (supplier of updated sudo package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 15 Jul 2009 01:29:46 -0600
Source: sudo
Binary: sudo sudo-ldap
Architecture: source i386
Version: 1.7.2-1
Distribution: unstable
Urgency: low
Maintainer: Bdale Garbee <bdale@gag.com>
Changed-By: Bdale Garbee <bdale@gag.com>
Description: 
 sudo       - Provide limited super user privileges to specific users
 sudo-ldap  - Provide limited super user privileges to specific users
Closes: 536220 536222 537103
Changes: 
 sudo (1.7.2-1) unstable; urgency=low
 .
   * new upstream version, closes: #537103
   * improve initial sudoers by having the exemption for users in group
     sudo on by default, and including the ability to run any command as
     any user.  This makes the default install roughly equivalent to our
     old use of the --with-exempt=sudo build option, closes: #536220, #536222
Checksums-Sha1: 
 80c0c3bf04d9331f2e1f30c01ab4694d1f0f853d 988 sudo_1.7.2-1.dsc
 566952fc9fb18b6c1e861e03ad5a63d27e54a501 770929 sudo_1.7.2.orig.tar.gz
 e996c09157785db74cf9604f3570edc17bf0e25e 20080 sudo_1.7.2-1.diff.gz
 1d18f07e9b2689be599f09069e2cb08e2b4ab1b6 305256 sudo_1.7.2-1_i386.deb
 7ef1e30ae99481625986437930fc5fed5a32b5b3 329438 sudo-ldap_1.7.2-1_i386.deb
Checksums-Sha256: 
 8a0eeb68d4d78cca7b36d9a6bb597da0ef7a74feae26db494e341c3fba5dff7b 988 sudo_1.7.2-1.dsc
 c173c6d6145f774bcce25bca70999b57b62e9e48054a3670dddabe233bdf100a 770929 sudo_1.7.2.orig.tar.gz
 a85ce3f215cb584e6520dc64f3b3848d2e7592bef009c628d11dfdc8f3d4ebcf 20080 sudo_1.7.2-1.diff.gz
 07420f875019f4697556a145f2158ef7c13a7b93e12a72acbe089ad56b110f7d 305256 sudo_1.7.2-1_i386.deb
 6ec55aaf20aadc99907e2f15fbdebb4310fd0ebc8363f5cfa28fdd429ea9a084 329438 sudo-ldap_1.7.2-1_i386.deb
Files: 
 70d17432bd9b017fc0093819da617669 988 admin optional sudo_1.7.2-1.dsc
 9caba8719c3e0f163880a05f02a48249 770929 admin optional sudo_1.7.2.orig.tar.gz
 225a8cc2aed2a4a77706dcd8a5cacefd 20080 admin optional sudo_1.7.2-1.diff.gz
 5a53402939b18b941133bfc1c5c0ba54 305256 admin optional sudo_1.7.2-1_i386.deb
 11e3576ba4f7774d5b01f59fa3596756 329438 admin optional sudo-ldap_1.7.2-1_i386.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)

iD8DBQFKXYZFZKfAp/LPAagRAuNEAJ9SI3ErIxo4sv2qdc8f0VyuFsiTSwCfRLdl
fUjFxhX4xBKmksrfaDtAPaA=
=C/g7
-----END PGP SIGNATURE-----

Message #15 received at 536222-done@bugs.debian.org (full text, mbox, reply):

From: bdale@gag.com (Bdale Garbee)

To: 536222-done@bugs.debian.org

Subject: fixed

Date: Thu, 11 Mar 2010 13:58:45 -0700 (MST)

This was fixed in 1.7.2-1.  

I'm not sure why it was marked as 'found' in 1.7.2-2?

Note that you won't magically get a changed sudoers just by updating sudo, 
since /etc/sudoers is only created in the postinst if it doesn't already 
exist, after which the sys admin is assumed to know more than we do about 
what they want.

Bdale

Message #20 received at 536222@bugs.debian.org (full text, mbox, reply):

From: Josh Triplett <josh@joshtriplett.org>

To: 536222@bugs.debian.org

Subject: Re: Bug#536222 closed by bdale@gag.com (Bdale Garbee) (fixed)

Date: Thu, 11 Mar 2010 13:35:10 -0800

On Thu, Mar 11, 2010 at 09:03:04PM +0000, Debian Bug Tracking System wrote:
> This was fixed in 1.7.2-1.  

True.

> I'm not sure why it was marked as 'found' in 1.7.2-2?

Probably because 1.7.2-2 removed the requested example, and added a new
one that will require editing on every new machine I install, defeating
the purpose of my filing the bug in the first place? ;)

Whether it involves the group sudo or not, I'd love to have some group
available to which I could add users to give them full root-equivalent
sudo permission, without also having to edit /etc/sudoers to set the
permissions of that group.  I filed the bug in the hopes of making sudo
that group, but I'd settle for a different group name. :)

> Note that you won't magically get a changed sudoers just by updating sudo, 
> since /etc/sudoers is only created in the postinst if it doesn't already 
> exist, after which the sys admin is assumed to know more than we do about 
> what they want.

That makes perfect sense; I certainly wouldn't want sudo modifying an
existing /etc/sudoers without at least prompting.  I do think a
conffile-like mechanism might make sense for such a file, to make it
easy for admins to see what has changed and optionally incorporate those
changes in their own files.  But that doesn't relate to this bug.

- Josh Triplett

Send a report that this bug log contains spam.