[Pkg-sssd-devel] Bug#749722: Bug#749722: libsss-sudo: modified /etc/nsswitch.conf after purge

[Timo Aaltonen]

On 08.11.2014 21:35, Andreas Beckmann wrote:
>> Strange, purge works for me..
> 
> This probably depends on how /etc/nsswitch.conf looked before the test,
> i.e. whether it already contained a sudoers line.
> 
>> :: root at sid:/etc> md5sum nsswitch.conf
>> d204d419661fba0df52f9be8e2a29fdd  nsswitch.conf
> 
> I couldn't reproduce your md5sums in a current sid chroot
> 
> Your postinst script adds the
>   "sudoers: files sss"
> line to /etc/nsswitch.conf, but the postrm only removes the " sss" part
> from that line, leaving the rest.
> 
> BTW, isn't doing that in the postrm too late anyway? Shouldn't that be
> removed already by "prerm remove"? With the postrm approach there is a
> small timespan where sudo could fail: the libsss library is already
> removed, but still referenced in /etc/nsswitch.conf. (And in the worst
> case the machine crashes at that moment - rebooting with a broken
> sudoers configuration in /etc/nsswitch.conf)
> 
> You could append this to your postrm sed script to remove sudoer: files
> after disabling sss
> 
>     /^sudoers:        files$/d

Oh right, that's it..

> Or is there any other source that could add a sudoers line to
> /etc/nsswitch.conf?

Not that I know of, wish it was there by default and that we had a
helper tool for these. Ubuntu kind of has one (auth-client-config) but
it's mostly made obsolete by pam-auth-update.

So I guess it would make sense for base-files to add "sudoers: files" to
the default nsswitch.conf?

> Also note that your postinst script has misleading comments talking
> about passwd, group, etc. lines being modified.
> 
> 
> Also the following sequence does not enable sss for sudoers:
> 
> apt-get install libsss-sudo  # sss gets enabled
> apt-get remove libsss-sudo   # sss gets disabled, don't purge
> apt-get install libsss-sudo  # goes the "upgrade, nothing to do" branch

Yeah I'll fix these at least.


-- 
t