** Description changed: - [Impact] + [Impact] The libsss-sudo package insists on inserting a "sudoers: files sss" configuration line into /etc/nsswitch.conf at install time and every upgrade after that. If the line already exists and has no "sss" component, the postinst adds that. This behavior ignores changes the user might have done. For example, some users remove "sss", like seen in bug #1249777. At the next upgrade, libsss-sudo will just add it back again. The proposed fix here is already applied in debian and later ubuntu releases, and only triggers the nsswitch.conf check on first install. [Test Case] - * detailed instructions how to reproduce the bug + * Install libsss-sudo: + $ sudo apt install libsss-sudo - * these should allow someone who is not familiar with the affected - package to reproduce the bug and verify that the updated package fixes - the problem. + * Verify the sudoers line with sss was added to /etc/nsswitch.conf: + $ grep ^sudoers /etc/nsswitch.conf + sudoers: files sss + + * Remove sss from that line, so it becomes: + $ grep ^sudoers /etc/nsswitch.conf + sudoers: files + + * Reinstall the package (or upgrade to a package without the fix): + sudo apt install --reinstall libsss-sudo + + * Without the fix, sss will be back: + $ grep ^sudoers /etc/nsswitch.conf + sudoers: files sss + + * With the fixed package, the line will remain as you left it before, without sss: + $ grep ^sudoers /etc/nsswitch.conf + sudoers: files [Regression Potential] - - * discussion of how regressions are most likely to manifest as a result - of this change. - - * It is assumed that any SRU candidate patch is well-tested before - upload and has a low overall risk of regression, but it's important - to make the effort to think about what ''could'' happen in the - event of a regression. - - * This both shows the SRU team that the risks have been considered, - and provides guidance to testers in regression-testing the SRU. + Someone could perhaps be surprised that reinstalling the package won't make it "work again", in the case they removed "sss" from the sudoers line in /etc/nsswitch.conf and expected a reinstallation to fix it. [Other Info] - - * Anything else you think is useful to include - * Anticipate questions from users, SRU, +1 maintenance, security teams and the Technical Board - * and address these questions in advance + One could argue that if the user doesn't want to use sudo with sss, then why install libsss-sudo?
-- You received this bug notification because you are a member of Ubuntu Server, which is subscribed to sssd in Ubuntu. https://bugs.launchpad.net/bugs/1781991 Title: libsss-sudo.postinst clobbers local change to /etc/nsswitch.conf To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1781991/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
