Ubuntu
sudo package

user prompted for sudo changes on upgrade in ec2/uec image

Bug #768625 reported by Scott Moser
18
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Release Notes for Ubuntu
Won't Fix
Undecided
Unassigned
sudo (Ubuntu)
Fix Released
Medium
Unassigned
Natty
Fix Released
Medium
Unassigned
Oneiric
Fix Released
Medium
Ubuntu Foundations Team

Bug Description

Binary package hint: sudo

This is a much less sever bug than bug 761689.

Instead of *not* being prompted, and being permanently locked out of sudo, the user is shown a prompt asking what to do about hte differences in sudo configuration, and suggesting they use sudo.d.

In the limited case of EC2/UEC images, we can recognize that they're using an unmodified sudo file and appropriately write a sudo.d entry for them.

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: sudo 1.7.4p4-5ubuntu7
ProcVersionSignature: User Name 2.6.38-8.42-virtual 2.6.38.2
Uname: Linux 2.6.38-8-virtual i686
Architecture: i386
Date: Thu Apr 21 21:51:09 2011
Ec2AMI: ami-a6f504cf
Ec2AMIManifest: ubuntu-images-us/ubuntu-maverick-10.10-i386-server-20101225.manifest.xml
Ec2AvailabilityZone: us-east-1c
Ec2InstanceType: m1.small
Ec2Kernel: aki-407d9529
Ec2Ramdisk: unavailable
ProcEnviron:
 LANG=en_US.UTF-8
 SHELL=/bin/bash
SourcePackage: sudo
UpgradeStatus: Upgraded to natty on 2011-04-21 (0 days ago)

== natty release note ==
When upgrading a UEC Image to 11.04 on EC2 or UEC, the user will be prompted regarding changes to local file /etc/sudoers. Selecting "Accept the maintainer's version" will result in the 'ubuntu' user losing access to sudo. Instead, select the default response "keep your currently-installed version" (N).

== SRU Information ==
 * Impact: This bug affects upgrade from 10.10 to 11.04 on the "UEC Images" only. UEC Images come with a 'ubuntu' user pre-configured with passwordless sudo access. Upon upgrade of sudo, if the user selects "Accept the Maintainer's version" of the sudoers file, then they will lose sudo access entirely.
 * How Bug is addressed: The bug is fixed by modifying the pre-install script of sudo to recognize the particular md5sum of /etc/sudoers that exists in UEC images. If that md5sum is found, then the stock /etc/sudoers file is laid down, and the 'ubuntu user' specific sudoers stanza is written to /etc/sudoers.d/90-cloud-ubuntu .
 * Patch: The changes for this fix are available at http://bazaar.launchpad.net/~ubuntu-branches/ubuntu/oneiric/sudo/oneiric/revision/49 .
 * Regression Potential: The regression potential here should be *very* low. The only time where different codepath will be taken is if /etc/sudoers has a known md5sum.
 * TEST CASE:
   * Launch an EC2 instance of 10.10.
   * ssh in as 'ubuntu@host'
   * enable -proposed
   * sudo apt-get update
   * sudo do-release-upgrade
   * The user will not be prompted for merge of /etc/sudoers
   * After upgrade, user still has passwordless sudo access.
   * Note: if the fix was not availale (ie, proposed not enabled) then the user will be prompted for merge of /etc/sudoers.

See original description

Related branches

lp:~smoser/ubuntu/natty/sudo/lp-768625
Michael Vogt (community): Approve
Dave Walker (community): Needs Information
Ubuntu branches: Pending requested
Diff: 52 lines (+26/-1)
2 files modified
debian/changelog (+8/-0)
debian/sudo.preinst (+18/-1)
lp:ubuntu/oneiric/sudo
lp:ubuntu/natty-proposed/sudo
Revision history for this message
Scott Moser (smoser) wrote :
Revision history for this message
Scott Moser (smoser) wrote :

Michael,
  I would appreciate your thoughts on this bug.

Scott Moser (smoser)
tags: added: server-nrs
Revision history for this message
Scott Moser (smoser) wrote :

The fix I'm proposing here is fairly simple.
  If the md5sum is one that was written by vm-builder for the UEC/Ec2 images, then do the right thing, and write a /etc/sudoers.d/ entry for the ubuntu user.

Robbie Williamson (robbiew)
Changed in sudo (Ubuntu):
status: New → Confirmed
importance: Undecided → Medium
Changed in sudo (Ubuntu Oneiric):
status: New → Confirmed
importance: Undecided → Medium
Robbie Williamson (robbiew)
Changed in sudo (Ubuntu Oneiric):
assignee: nobody → Ubuntu Foundations Team (ubuntu-foundations-team)
Scott Moser (smoser)
description: updated
Revision history for this message
Scott Moser (smoser) wrote :

The only thing I'm not clear on on this bug is what file naming convention we should be / are using in /etc/sudoers.d/. I selected
"uec-ubuntu-user", which probably isn't right.

A quick check of apt-file shows that at the moment in natty, only one file other than README is installed there (/etc/sudoers.d/nova_sudoers). I would suggest that is also a bad name, and that we should do something with
  XX-name
where XX is a 2 digit prefix.

Anyone have thoughts on that? I think it might make sense for this case to be:
 90-uec-ubuntu

Revision history for this message
Eric Hammond (esh) wrote :

Since "UEC" is a specific product and this is used with both UEC and EC2, should the name be more generic like "cloud" instead of "uec"?

Revision history for this message
Scott Moser (smoser) wrote : Re: [Bug 768625] Re: user prompted for sudo changes on upgrade in ec2/uec image

On Thu, 5 May 2011, Eric Hammond wrote:

> Since "UEC" is a specific product and this is used with both UEC and
> EC2, should the name be more generic like "cloud" instead of "uec"?

I chose 'uec' simply because it is written by the "uec" image build
process.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.4p4-5ubuntu8

---------------
sudo (1.7.4p4-5ubuntu8) oneiric; urgency=low

  * debian/sudo.preinst:
    - if well-known ec2 vmbuilder file is found, write a file in
      sudoers.d for the 'ubuntu' user (LP: #768625)
 -- Scott Moser <email address hidden> Thu, 21 Apr 2011 18:04:34 -0400

Changed in sudo (Ubuntu Oneiric):
status: Confirmed → Fix Released
Revision history for this message
Michael Vogt (mvo) wrote :

I uploaded the fix into both oneiric and natty-proposed now. Please add SRU instructions to the bug description for the testers.

Changed in sudo (Ubuntu Natty):
status: New → In Progress
importance: Undecided → Medium
Scott Moser (smoser)
description: updated
Revision history for this message
Martin Pitt (pitti) wrote : Please test proposed package

Accepted sudo into natty-proposed, the package will build now and be available in a few hours. Please test and give feedback here. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation how to enable and use -proposed. Thank you in advance!

Changed in sudo (Ubuntu Natty):
status: In Progress → Fix Committed
tags: added: verification-needed
Revision history for this message
Scott Moser (smoser) wrote :

I followed the steps in the SRU information in the description with
us-east-1 ami-b2e811db ubuntu-oneiric-daily-amd64-server-20110601

I was not prompted for changes to the sudo file, and still able to 'sudo' without password as the ubuntu user.

tags: added: verification-done
removed: verification-needed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sudo - 1.7.4p4-5ubuntu7.1

---------------
sudo (1.7.4p4-5ubuntu7.1) natty-proposed; urgency=low

  * debian/sudo.preinst:
    - if well-known ec2 vmbuilder file is found, write a file in
      sudoers.d for the 'ubuntu' user (LP: #768625)
 -- Scott Moser <email address hidden> Thu, 21 Apr 2011 18:04:34 -0400

Changed in sudo (Ubuntu Natty):
status: Fix Committed → Fix Released
Revision history for this message
Martin Pitt (pitti) wrote :

I think the release notes task is obsolete now.

Changed in ubuntu-release-notes:
status: New → Won't Fix
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.