[csw-maintainers] (now about sudo)

Sebastian Kayser skayser at opencsw.org
Tue Dec 15 22:07:47 CET 2009 

Maciej (Matchek) Blizinski wrote on 10.12.2009 19:40:
> On Thu, Dec 10, 2009 at 5:11 PM, Philip Brown <phil at bolthole.com> wrote:
>> On Wed, Dec 9, 2009 at 11:24 PM, Maciej (Matchek) Blizinski
>> <maciej at opencsw.org> wrote:
>>> Filed bug 4074 about this issue.
>>>
>> Thanks.
>>
>>> My brain says the right thing to do is:
>>>
>>> 1. Get the alternatives mechanism in place
>>> 2. Modify CSWsudo to use it
>>> 3. Modify CSWsudo_ldap to use it, give it higher priority (if both are
>>> installed at the same time, use sudo.ldap)
>>> 4. Remove the stupid symlink from CSWsudo_common
>>> 5. Release all three packages at the same time
>>>
>>> Does it look good?
>> yes... except if it takes more than a week to implement, in which
>> case, I'd say just release new sudo with the symlink in postinstall.
>> sudo needs upgrading sooner rather than later, for security reasons, I thought.
> 
> There is no security hole, it's even the opposite:  the sudo command
> vanishes, and the system becomes more secure, because users can't get
> root.  Unless they figure out sudo.minimal.
> 
> There is one thing I'm curious about.  If I understand it correctly,
> the transition from the older scheme (CSWsudo containing
> /opt/csw/bin/sudo binary) to the new scheme (CSWsudo containing
> /opt/csw/bin/sudo.minimal and CSWsudo-common containing the symlink),
> assuming the upgrade order (CSWsudo-common gets upgraded first), must
> inevitably lead to the problem I described.  I find it hard to believe
> that nobody ran into this problem before and that there were no bug
> reports.  Maintainers, are you sure that the issue hasn't surfaced
> after the introduction of the symlink?

Just cross-checked with two of our systems which were upgraded recently.
Both have up to date sudo packages now, but no /opt/csw/bin/sudo any
more. So yes, the problem has surfaced, but as we don't use sudo in that
environment it hasn't been noticed so far.

As a side note: I guess with pkgutil 1.9 which removes all
to-be-upgraded packages before installing the newer versions, one
wouldn't see this issue. Right?

Sebastian

More information about the maintainers mailing list