@sudo-team, this contains a suggestion of mine to get rid of the %sudo
ALL rule in /etc/sudoers proper, moving it to a dedicated file in
/etc/sudoers.d in a multi-step process ending in forky+1 at the
earliest. If this ends up in a sudo team discussion, please remove
#1136732 from the loop to avoid pestering the installer team.
Hi Pascal,
On Fri, May 15, 2026 at 08:26:55PM +0200, Pascal Hambourg wrote:
On 15/05/2026 at 13:53, Marc Haber wrote:
Would you consider, in this case, to drop a snippet (named zz_installer,
zz_sudogroup or zz_<created-user>
I'd suggest a name containing "user-setup", the d-i component in
charge of configuring users and passwords in the installed system.
That should be user_setup. sudoers @includedir ignores files with dashes
in the file name.
Otherwise, that's fine with me. Please consider adding a comment like
"this was created by user-setup during system installation" so that
people can guess where it comes from. Normal users are probably not
familiar with the names of d-i components.
saying either
%sudo ALL=(ALL:ALL) ALL
So keep adding sudo membership, I guess.
or
<created-user> ALL=(ALL:ALL) ALL
And stop adding sudo membership ?
I would leave that decision to you. Both keeping group membership or
removing it has its advantages and dissadvantages:
Least change would be to use %sudo and keep adding membership, least
privilege would be to use the user name and not adding membership. A
possible midway would be to use the user name in the sudo rule and still
adding sudo membership.
If the Installer has taken their decision I will gladly put on my hat of
base-passwd co-maintainer and suggest a documentation change for the
sudo group.
That way, sudo could put the respective line
%sudo ALL=(ALL:ALL) ALL
in a comment in the default configuration file, making things a bit more
secure on fresh installation.
How will you deal with the upgrade of existing installations which use
the default configuration file (which will be silently replaced IIUC)
and rely on sudo membership ? Uncomment the line or add a snippet in
postinst if the group is not empty ? Not sure a NEWS entry will be
enough.
My idea is to ship an /etc/sudoers.d/zz_sudo_group file while keeping
the %sudo ALL rule in /etc/sudoers, documenting the doubling of the
%sudo ALL rule both in comments in /etc/sudoers (which a user will not
see if they do not accept the package changes to the file) AND in
NEWS.Debian AND in the release notes for at least forky.
In forky+1 or forky+2 we could then remove the %sudo ALL rule from
/etc/sudoers proper, while keeping the change documented in the release
notes for all relevant releases.
But that is not yet decided at all, it's a fully new idea.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
