Hello, On Mon, 02 Mar 2026 11:00:58 +0000 Allison Karlitskaya <[email protected]> wrote: > Which seems to be caused by libsss-sudo assuming that the entry should > already exist as "sudoers: files" and trying to add "sss" to the end of > it. This was proposed in base-files but not yet in the distribution > (also after dist-upgrade): > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=770825
We also got this bug reported in Ubuntu [1]. I have a proposed fix [2] that boils down to: 1. Adding "files" to "libsss-sudo.nss"; 2. Doing some postinst scripting to add "files" to /etc/nsswitch if "sss" is present. (1) fixes new installations, and (2) fixes the upgrade from a broken version. I have also attached the patch here. Does this sound reasonable, or am I missing something? Thanks, -- puida
From 67a8cc4739d6386a080934669ad7a8edad2c0994 Mon Sep 17 00:00:00 2001 From: Guilherme Puida Moreira <[email protected]> Date: Fri, 5 Jun 2026 10:17:06 -0300 Subject: [PATCH] libsss-sudo: ensure 'files' is present in nsswitch.conf sudoers line --- debian/libsss-sudo.nss | 1 + debian/libsss-sudo.postinst | 16 ++++++++++++++++ 2 files changed, 17 insertions(+) create mode 100644 debian/libsss-sudo.postinst diff --git a/debian/libsss-sudo.nss b/debian/libsss-sudo.nss index add9eba15..774740307 100644 --- a/debian/libsss-sudo.nss +++ b/debian/libsss-sudo.nss @@ -1,3 +1,4 @@ sudoers database-add +sudoers last files skip-if-present=files sudoers last sss diff --git a/debian/libsss-sudo.postinst b/debian/libsss-sudo.postinst new file mode 100644 index 000000000..d9022c1d9 --- /dev/null +++ b/debian/libsss-sudo.postinst @@ -0,0 +1,16 @@ +#!/bin/sh +set -e + +# Fix broken upgrades where sudoers line has 'sss' but missing 'files'. +# dh_installnss only runs service installation on fresh install, not upgrade, +# so systems upgraded from broken versions have 'sudoers: sss' without 'files', +# breaking local sudo. This detects that state and prepends 'files'. +if [ "$1" = "configure" ] && [ -e "${DPKG_ROOT}/etc/nsswitch.conf" ]; then + if grep -q -E '^sudoers:[^#]*\bsss\b' "${DPKG_ROOT}/etc/nsswitch.conf" && \ + ! grep -q -E '^sudoers:[^#]*\bfiles\b' "${DPKG_ROOT}/etc/nsswitch.conf"; then + sed -E -i "${DPKG_ROOT}/etc/nsswitch.conf" \ + -e '/^sudoers:/ s/^sudoers:\s*/sudoers: files /' + fi +fi + +#DEBHELPER# -- 2.43.0
