[csw-maintainers] (now about sudo)

Maciej (Matchek) Blizinski maciej at opencsw.org
Thu Dec 10 19:40:13 CET 2009


On Thu, Dec 10, 2009 at 5:11 PM, Philip Brown <phil at bolthole.com> wrote:
> On Wed, Dec 9, 2009 at 11:24 PM, Maciej (Matchek) Blizinski
> <maciej at opencsw.org> wrote:
>>
>> Filed bug 4074 about this issue.
>>
>
> Thanks.
>
>> My brain says the right thing to do is:
>>
>> 1. Get the alternatives mechanism in place
>> 2. Modify CSWsudo to use it
>> 3. Modify CSWsudo_ldap to use it, give it higher priority (if both are
>> installed at the same time, use sudo.ldap)
>> 4. Remove the stupid symlink from CSWsudo_common
>> 5. Release all three packages at the same time
>>
>> Does it look good?
>
> yes... except if it takes more than a week to implement, in which
> case, I'd say just release new sudo with the symlink in postinstall.
> sudo needs upgrading sooner rather than later, for security reasons, I thought.

There is no security hole, it's even the opposite:  the sudo command
vanishes, and the system becomes more secure, because users can't get
root.  Unless they figure out sudo.minimal.

There is one thing I'm curious about.  If I understand it correctly,
the transition from the older scheme (CSWsudo containing
/opt/csw/bin/sudo binary) to the new scheme (CSWsudo containing
/opt/csw/bin/sudo.minimal and CSWsudo-common containing the symlink),
assuming the upgrade order (CSWsudo-common gets upgraded first), must
inevitably lead to the problem I described.  I find it hard to believe
that nobody ran into this problem before and that there were no bug
reports.  Maintainers, are you sure that the issue hasn't surfaced
after the introduction of the symlink?  Was there any magic during the
upgrade used?

Or are our users still stuck to the old package?  From what I see in
the catalog, even our old stable contains packages with the newer
scheme.



More information about the maintainers mailing list