On 07.11.22 02:49, Luciano Santos wrote:
Hi Andrei, I think Stefan is just pointing out that the distro should've used a drop-in config file, under /etc/sudoers.d, for the "targetpw" as a good practice, more than anything.
But Stefan, here I'm afraid I disagree with you. In my point of view, the distro should offer a "canonical" sudoers file (under /usr/etc, preferably, so sysadmins can override it with their own /etc/sudoers) with whatever diversions from upstream they deem necessary. And atomic changes to the default behavior should be done using drop-in config files.
My idea with the drop-in (not completely speled out in the previous mail) was, that the "targetpw" could e.g. be part of an add-on package that would have been installed automatically on system updates, but not on new installations or something like that. And yes, managing config updates one way or the other is always hard. Sometimes you really want the updated config for almost everyone and sometimes you don't. I somehow like the debian approach of listing up the changed files, allowing to show the difference and then having the user decide "new, old, edit", at least as an option. But I also have not used it in practice to automatically update thousands of servers at once ;-) In this particular case, an advance warning on this list would certainly have helped. I personally read most of the "new tw snapshot mails" but often not as thorough to find such hidden gems in the changelogs.
Fedora, for example, has its own sudoers file [1] that makes use of the WHEEL group and any command can be ran as root, as long as they are in the WHEEL group (and the user is by default, at least the first created user is).
Debian/Ubuntu, too, has their own sudoers file [2]. Similar mechanism as Fedora, but they make use of the SUDO group instead.
This would probably be a nice area for inter-distribution cooperation. Or let's just wait until systemd absorbs sudo and everyone has to use that then ;-) Have fun, seife -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman