From 67a8cc4739d6386a080934669ad7a8edad2c0994 Mon Sep 17 00:00:00 2001
From: Guilherme Puida Moreira <guilherme.moreira@canonical.com>
Date: Fri, 5 Jun 2026 10:17:06 -0300
Subject: [PATCH] libsss-sudo: ensure 'files' is present in nsswitch.conf
 sudoers line

---
 debian/libsss-sudo.nss      |  1 +
 debian/libsss-sudo.postinst | 16 ++++++++++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 debian/libsss-sudo.postinst

diff --git a/debian/libsss-sudo.nss b/debian/libsss-sudo.nss
index add9eba15..774740307 100644
--- a/debian/libsss-sudo.nss
+++ b/debian/libsss-sudo.nss
@@ -1,3 +1,4 @@
 sudoers	database-add
 
+sudoers last	files skip-if-present=files
 sudoers last	sss
diff --git a/debian/libsss-sudo.postinst b/debian/libsss-sudo.postinst
new file mode 100644
index 000000000..d9022c1d9
--- /dev/null
+++ b/debian/libsss-sudo.postinst
@@ -0,0 +1,16 @@
+#!/bin/sh
+set -e
+
+# Fix broken upgrades where sudoers line has 'sss' but missing 'files'.
+# dh_installnss only runs service installation on fresh install, not upgrade,
+# so systems upgraded from broken versions have 'sudoers: sss' without 'files',
+# breaking local sudo. This detects that state and prepends 'files'.
+if [ "$1" = "configure" ] && [ -e "${DPKG_ROOT}/etc/nsswitch.conf" ]; then
+    if grep -q -E '^sudoers:[^#]*\bsss\b' "${DPKG_ROOT}/etc/nsswitch.conf" && \
+        ! grep -q -E '^sudoers:[^#]*\bfiles\b' "${DPKG_ROOT}/etc/nsswitch.conf"; then
+        sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" \
+            -e '/^sudoers:/ s/^sudoers:\s*/sudoers: files /'
+    fi
+fi
+
+#DEBHELPER#
-- 
2.43.0