[csw-maintainers] (now about sudo)
Maciej (Matchek) Blizinski
maciej at opencsw.org
Wed Dec 16 09:27:49 CET 2009
On Tue, Dec 15, 2009 at 9:07 PM, Sebastian Kayser <skayser at opencsw.org> wrote:
> Maciej (Matchek) Blizinski wrote on 10.12.2009 19:40:
>> On Thu, Dec 10, 2009 at 5:11 PM, Philip Brown <phil at bolthole.com> wrote:
>>> On Wed, Dec 9, 2009 at 11:24 PM, Maciej (Matchek) Blizinski
>>> <maciej at opencsw.org> wrote:
>>>> Filed bug 4074 about this issue.
>>>>
>>> Thanks.
>>>
>>>> My brain says the right thing to do is:
>>>>
>>>> 1. Get the alternatives mechanism in place
>>>> 2. Modify CSWsudo to use it
>>>> 3. Modify CSWsudo_ldap to use it, give it higher priority (if both are
>>>> installed at the same time, use sudo.ldap)
>>>> 4. Remove the stupid symlink from CSWsudo_common
>>>> 5. Release all three packages at the same time
>>>>
>>>> Does it look good?
>>> yes... except if it takes more than a week to implement, in which
>>> case, I'd say just release new sudo with the symlink in postinstall.
>>> sudo needs upgrading sooner rather than later, for security reasons, I thought.
>>
>> There is no security hole, it's even the opposite: the sudo command
>> vanishes, and the system becomes more secure, because users can't get
>> root. Unless they figure out sudo.minimal.
>>
>> There is one thing I'm curious about. If I understand it correctly,
>> the transition from the older scheme (CSWsudo containing
>> /opt/csw/bin/sudo binary) to the new scheme (CSWsudo containing
>> /opt/csw/bin/sudo.minimal and CSWsudo-common containing the symlink),
>> assuming the upgrade order (CSWsudo-common gets upgraded first), must
>> inevitably lead to the problem I described. I find it hard to believe
>> that nobody ran into this problem before and that there were no bug
>> reports. Maintainers, are you sure that the issue hasn't surfaced
>> after the introduction of the symlink?
>
> Just cross-checked with two of our systems which were upgraded recently.
> Both have up to date sudo packages now, but no /opt/csw/bin/sudo any
> more. So yes, the problem has surfaced, but as we don't use sudo in that
> environment it hasn't been noticed so far.
I was wondering why were there no bug reports or complaints. In which
order does pkg-get upgrade the packages? pkgutil was doing it from
bottom-up (i.e. dependencies first). If pkg-get does it the other way
(i.e. dependencies last), the upgrade wouldn't cause the issue.
> As a side note: I guess with pkgutil 1.9 which removes all
> to-be-upgraded packages before installing the newer versions, one
> wouldn't see this issue. Right?
Correct.
More information about the maintainers
mailing list