Ubuntu
sudo package

Merge lp://qastaging/~xnox/ubuntu/quantal/sudo/merge into lp://qastaging/ubuntu/quantal/sudo

  1. Quantal (12.10)
  2. merge
  3. Merge into quantal
Proposed by Dimitri John Ledkov
Status: Superseded
Proposed branch: lp://qastaging/~xnox/ubuntu/quantal/sudo/merge
Merge into: lp://qastaging/ubuntu/quantal/sudo
Diff against target: 7378 lines (+370/-6300)
37 files modified
.pc/CVE-2012-0809.patch/src/sudo.c (+0/-1222)
.pc/applied-patches (+0/-2)
.pc/enable_badpass.patch/doc/sudoers.man.in (+0/-2035)
.pc/enable_badpass.patch/doc/sudoers.pod (+0/-1969)
.pc/enable_badpass.patch/plugins/sudoers/defaults.c (+0/-781)
ChangeLog (+14/-0)
NEWS (+6/-0)
configure (+9/-9)
configure.in (+1/-1)
debian/README (+0/-17)
debian/changelog (+66/-0)
debian/control (+3/-3)
debian/patches/CVE-2012-0809.patch (+0/-28)
debian/patches/enable_badpass.patch (+0/-42)
debian/patches/keep_home_by_default.patch (+3/-3)
debian/patches/lp927828-fix-abort-in-pam-modules-when-timestamp-valid.patch (+22/-14)
debian/patches/series (+0/-2)
debian/rules (+22/-9)
debian/source.lintian-overrides (+0/-2)
debian/sudo-ldap.dirs (+1/-0)
debian/sudo-ldap.lintian (+2/-0)
debian/sudo-ldap.postinst (+62/-45)
debian/sudo-ldap.postrm (+5/-0)
debian/sudo-ldap.sudo.init (+2/-2)
debian/sudo.dirs (+1/-0)
debian/sudo.lintian (+2/-0)
debian/sudo.postinst (+53/-42)
debian/sudo.preinst (+1/-0)
debian/sudo.service (+10/-0)
debian/sudo.sudo.init (+2/-2)
debian/sudoers (+1/-0)
doc/sudoers.man.in (+1/-1)
doc/sudoers.pod (+1/-1)
plugins/sudoers/defaults.c (+0/-1)
plugins/sudoers/po/sudoers.pot (+64/-64)
src/po/sudo.pot (+2/-2)
sudo.pp (+14/-1)
To merge this branch: bzr merge lp://qastaging/~xnox/ubuntu/quantal/sudo/merge
Reviewer Review Type Date Requested Status
Steve Langasek Needs Fixing
Ubuntu branches Pending
Review via email: mp+104420@code.qastaging.launchpad.net

This proposal has been superseded by a proposal from 2012-05-22.

Description of the change

Format: 1.8
Date: Tue, 01 May 2012 16:12:45 +0100
Source: sudo
Binary: sudo sudo-ldap
Architecture: source
Version: 1.8.3p2-1ubuntu1
Distribution: quantal
Urgency: high
Maintainer: Ubuntu Developers <email address hidden>
Changed-By: Dmitrijs Ledkovs <email address hidden>
Description:
 sudo - Provide limited super user privileges to specific users
 sudo-ldap - Provide limited super user privileges to specific users
Closes: 610600 612532 636049 639530 639633 641218 641782 648104 655417 655510 655894 657985
Launchpad-Bugs-Fixed: 927828
Changes:
 sudo (1.8.3p2-1ubuntu1) quantal; urgency=low
 .
   * Merge from debian/testing, remaining changes:
     - debian/patches/CVE-2012-0809.patch:
       + droped, included in this new upstream release.
     - debian/patches/enable_badpass.patch:
       + droped as Debian chose to set this by default in the sudoers.
     - debian/patches/keep_home_by_default.patch:
       + Set HOME in initial_keepenv_table. (rebased for 1.8.3p1)
     - debian/patches/lp927828-fix-abort-in-pam-modules-when-timestamp-valid.patch
       + Fix Abort in some PAM modules when timestamp is valid. (LP: #927828)
     - debian/rules:
       + compile with --without-lecture --with-tty-tickets (Ubuntu specific)
       + install man/man8/sudo_root.8 (Ubuntu specific)
       + install apport hooks
       + The ubuntu-sudo-as-admin-successful.patch was taken upstream by
         Debian however it requires a --enable-admin-flag configure flag to
         actually enable it.
     - debian/sudoers:
       + grant admin group sudo access
     - debian/sudo-ldap.dirs, debian/sudo.dirs:
       + add usr/share/apport/package-hooks
     - debian/sudo.preinst:
       + avoid conffile prompt by checking for known default /etc/sudoers
         and if found installing the correct default /etc/sudoers file.
         Modified for updated default sudoers. Aproach taken is different
         from Debian. Maybe this should now be dropped, since LTS was
         released.
 .
 sudo (1.8.3p2-1) unstable; urgency=high
 .
   * new upstream version, closes: #657985 (CVE-2012-0809)
   * patch from Pino Toscano to only use selinux on Linux, closes: #655894
 .
 sudo (1.8.3p1-3) unstable; urgency=low
 .
   * patch from Moritz Muehlenhoff enables hardened build flags, closes: #655417
   * replacement postinst script from Mike Beattie using shell instead of Perl
   * include systemd service file from Michael Stapelberg, closes: #639633
   * add init.d status support, closes: #641782
   * make sudo-ldap package manage a sudoers entry in nsswitch.conf,
     closes: #610600, #639530
   * enable mail_badpass in the default sudoers file, closes: #641218
   * enable selinux support, closes: #655510
 .
 sudo (1.8.3p1-2) unstable; urgency=low
 .
   * if upgrading from squeeze, and the sudoers file is unmodified, avoid
     the packaging system prompting the user about a change they didn't make
     now that sudoers is a conffile, closes: #612532, #636049
   * add a recommendation for the use of visudo to the sudoers.d/README file,
     closes: #648104

To post a comment you must log in.
Revision history for this message
Steve Langasek (vorlon) wrote :

    - debian/patches/CVE-2012-0809.patch:
      + dropped, included in this new upstream release.
    - debian/patches/enable_badpass.patch:
      + dropped as Debian chose to set this by default in the sudoers.

Please document these separately in debian/changelog, not as part of "remaining changes" since these are changes that *don't* remain. ("Dropped changes" makes a good header for such things.)

debian/sudoers has been changed - this means that debian/sudo.preinst also needs updated, for avoid_conffile_prompt() to know about the new checksums. The version check also needs updated from 1.8.3p1-1ubuntu1 to 1.8.3p2-1ubuntu1.

debian/patches/paths-in-samples.diff, debian/patches/typo-in-classic-insults.diff have modified headers relative to the Debian package when they don't need to... this cosmetic delta could be dropped.

debian/rules passes --enable-admin-flag to the main sudo build, but not to the ldap build - I think this is a bug? (Not one introduced by your merge, but one that should be fixed nevertheless)

Otherwise, this looks good to me.

review: Needs Fixing
Revision history for this message
Dimitri John Ledkov (xnox) wrote :

> - debian/patches/CVE-2012-0809.patch:
> + dropped, included in this new upstream release.
> - debian/patches/enable_badpass.patch:
> + dropped as Debian chose to set this by default in the sudoers.
>
> Please document these separately in debian/changelog, not as part of
> "remaining changes" since these are changes that *don't* remain. ("Dropped
> changes" makes a good header for such things.)
>

ok.

> debian/sudoers has been changed - this means that debian/sudo.preinst also
> needs updated, for avoid_conffile_prompt() to know about the new checksums.
> The version check also needs updated from 1.8.3p1-1ubuntu1 to
> 1.8.3p2-1ubuntu1.
>

Why? Last time around our preinst was 'upgrading' to a config file with a non-matching checksum, which was then resulting in the prompt. This has been fixed in the last upload. So currently /etc/sudoers is managed as a dpkg conffile with correct checksums and gets auto updated to a new version if it is untouched.

Upgrading Lucid's sudo to the new merged version asks no questions:
(Reading database ... 15827 files and directories currently installed.)
Preparing to replace sudo 1.8.3p1-1ubuntu3.1 (using .../sudo_1.8.3p2-0~56~precise1_amd64.deb) ...
invoke-rc.d: policy-rc.d denied execution of stop.
Unpacking replacement sudo ...
Setting up sudo (1.8.3p2-0~56~precise1) ...
Installing new version of config file /etc/sudoers ...
Installing new version of config file /etc/sudoers.d/README ...
Installing new version of config file /etc/init.d/sudo ...

I have left the logic there just for someone who is jumping releases on upgrade (e.g. lucid -> quantal or oneiric -> quantal).
Potentially this is cruft, since an LTS got released & we should be removing this duplication of the same config file in two places.

> debian/patches/paths-in-samples.diff, debian/patches/typo-in-classic-
> insults.diff have modified headers relative to the Debian package when they
> don't need to... this cosmetic delta could be dropped.
>

ok. sorry.
I refreshed them due to fuzz, but dpkg-source seems to unpack this little fuzz ok this time around.

> debian/rules passes --enable-admin-flag to the main sudo build, but not to the
> ldap build - I think this is a bug? (Not one introduced by your merge, but
> one that should be fixed nevertheless)
>

I agree that it's a bug.
Also sudo_root 8 man page was not installed in the sudo-ldap package on ubuntu.
People seem to be renaming Vcs-* control fields to XS-Debian-Vcs-*; not sure what the consensus is behind this, i.e. is to make debcheckout work on merged packages?!

> Otherwise, this looks good to me.

Thanks.

Revision history for this message
Dimitri John Ledkov (xnox) wrote :

On hold due to security bug https://bugs.launchpad.net/ubuntu/+source/sudo/+bug/1000276

lp://qastaging/~xnox/ubuntu/quantal/sudo/merge updated
60. By Dimitri John Ledkov

* Merge security fix in.

Revision history for this message
Steve Langasek (vorlon) wrote :

> Upgrading Lucid's sudo to the new merged version asks no questions:

Ah - you're right then, sorry.

> I have left the logic there just for someone who is jumping releases on upgrade
> (e.g. lucid -> quantal or oneiric -> quantal).
> Potentially this is cruft, since an LTS got released & we should be removing
> this duplication of the same config file in two places.

I would actually prefer to see this dropped. Skipping an LTS is definitely not supported for upgrades, and it's better for us to not carry a delta here if we can avoid it, IMHO. But that doesn't have to be done as part of this merge, it can be done later.

> I agree that it's a bug.
> Also sudo_root 8 man page was not installed in the sudo-ldap package on ubuntu.
> People seem to be renaming Vcs-* control fields to XS-Debian-Vcs-*; not sure
> what the consensus is behind this, i.e. is to make debcheckout work on merged
> packages?!

I don't think there's a strong consensus about this. I think it's better to rename the fields so that 'debcheckout' doesn't give wrong results; but I also don't always do this myself.

I've merged this now with only a couple minor changes to the changelog. Thanks!

Unmerged revisions

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
The diff is not available at this time. You can reload the page or download it.

Subscribers

People subscribed via source and target branches