Thorsten Kukuk <kukuk@suse.de> wrote:
/usr on a separate partition or subvolume will become the new default for most/nearly all Linux distributions in the next years. That's a hard requirement for many (security) concepts.
I remember back in the late 90s that /usr was supposed to be read-only and that Solaris did that. Linux didn’t because it was more of a hobby at the time. (Please don’t hurt me for saying that.) Richard Brown <rbrown@suse.de> wrote:
Hi Jason,
Great to see you here 😄
:D Thank you!
I suppose what we could do (though ugly) is something like this
/usr/etc/sudoers.d - packaged snippits /etc/sudoers - the user provided config file, defined in the %configuration step just like now but SYMLIKKED to a file /usr/etc/sudoers /etc/sudoers.d - user provided snippits
This would mean we'd have a nice read-only sudoers in /usr/etc, but it would be read from /etc and a user could just replace the symlink with their own config if they felt like it.
Then, given visudo is the recommended way of modifying the sudoers..could visudo detect if /etc/sudoers is a symlink?
Then could it drop the symlink, copy /usr/etc/sudoers to /etc/sudoers, and open /etc/sudoers for editing?
I just tested it out. Visudo appears to behave the way we want! germ117:/ # ls -l /etc/sudoers -r--r----- 1 root root 3041 Nov 15 00:38 /etc/sudoers germ117:/ # mv /etc/sudoers /usr/etc/sudoers germ117:/ # ln -s /usr/etc/sudoers /etc/sudoers germ117:/ # ls -l /etc/sudoers lrwxrwxrwx 1 root root 16 Nov 17 03:07 /etc/sudoers -> /usr/etc/sudoers germ117:/ # visudo germ117:/ # ls -l /etc/sudoers -r--r----- 1 root root 3043 Nov 17 03:09 /etc/sudoers germ117:/ # ls -l /usr/etc/sudoers -r--r----- 1 root root 3041 Nov 15 00:38 /usr/etc/sudoers Carlos E. R. <carlos.e.r@opensuse.org> wrote:
Consider that visudo should check all the files and present a single edit view
Sort of. Visudo presents only one file. The “@includedir” is down at the bottom of that file.
Can you really, at the packaging end, really do all that? Shouldn't this be done > upstream?
I agree. This is definitely a job for upstream. I just took a look at the code, and I see I can help, if upstream wishes.