[adding [email protected] to keep the sudo team in the loop]
Hi Martin,
good to hear from you.
On Mon, Feb 09, 2026 at 02:00:06PM +0100, Martin Pitt wrote:
This has become much more relevant now. Marc removed libnss-sudo [1], whose
postinst previously created the `sudoers: files` entry:
-------------- 8< ---------------
if ! grep -q -E '^sudoers:' "${DPKG_ROOT}/etc/nsswitch.conf" ; then
echo "sudoers: " >> "${DPKG_ROOT}/etc/nsswitch.conf"
fi
[...]
if ! grep -q -E -e '^sudoers:[^#]*\s(files)(\s|#|$)'
"${DPKG_ROOT}/etc/nsswitch.conf" ; then
# Installing sudoers/files from libnss-sudo in position first
sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e '/^sudoers:\s/
s/(:\s+)/\1files /'
fi
-------------- 8< ---------------
I was not aware that other things depended on that. We have discussed
that numerous times inside the sudo team, and I think that I took that
to -devel at least once, being well aware that our removing of the
unmaintainable sudo-ldap might break things.
I apologize for the additional work that this change caused despite the
utmost care taken by the sudo team.
Sadly, the sudo team doesn't have enough LDAP knowledge to properly
maintain sudo-ldap, and the LDAP "plugin" of sudo sadly never was a
proper plugin upstream, making it necessary to have dedicated,
conflicting binary packages for both feature sets (multiplying the
effort necessary to provide packaged versions of "proper" sudo plugins).
I don't know why upstream never got around to make the LDAP plugin a
proper plugin after implementing the plugin mechanism, but instead
decided to keep it in the current "unicorn" state.
But this is gone now. Consequently, libsss-sudo's postinst does not add 'sss'
any more, as there is no 'sudoers:' line, and the `sed` just changes an
existing one:
-------------- 8< ---------------
if ! grep -q -E -e '^sudoers:[^#]*\s(sss)(\s|#|$)'
"${DPKG_ROOT}/etc/nsswitch.conf" ; then
# Installing sudoers/sss from libsss-sudo in position last
sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" -e
'/^sudoers:\s[^#]*$/ s/$/ sss/' -e '/^sudoers:\s.*#/ s/#/ sss #/'
fi
-------------- 8< ---------------
That leaves sssd configuration of sudo rules broken by default now. Could
libsss-sudo adopt the "create entry" code from the late libnss-sudo?
Hm. Why is that not caught in the sudo testsuite, which HAS a test case
to configure slapd, sssd and sudo?
Can you elaborate a bit on "sssd configuration of sudo rules"? The only
thing I have ever seen (and tested) is sssd contributing to getent
passewd, getent group et al.
How would a test case to check "sssd configuration of sudo rules" look
like?
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
