Andrei Borzenkov wrote:
On 05.11.2022 12:42, Stefan Seyfried wrote:
On 04.11.22 20:17, Luciano Santos wrote: Whoever edits the sudoers file wont't have it being replaced by new versions of the file that the distributions releases. Instead, they'll have a /etc/sudoers.rpmnew extra file with the new content. Only those who never edited the file will get bit by this change that shouldn't have happened on Tumbleweed without discussing it. That bug is targeted for ALP, and in the future SLE 6+. I don't think many people nowadays edit /etc/sudoers, since ages you can just drop a file in /etc/sudoers.d/ if you need something changed. Of course that default of "Defaults targetpw" should have been in such a drop-in file and not in the main config, so that it would be easy to override, but that just never has been done. How exactly would it change anything? Next update removing drop-in with "Default targetpw" would have exactly the same effect. And overriding it is just as simple now, just add whatever rules you need to to your own drop-in. Of course this requires that users actually try to learn tools they are using and read documentation and manual pages. Which again cannot be fixed by shuffling files around.
Hi Andrei, I think Stefan is just pointing out that the distro should've used a drop-in config file, under /etc/sudoers.d, for the "targetpw" as a good practice, more than anything. But Stefan, here I'm afraid I disagree with you. In my point of view, the distro should offer a "canonical" sudoers file (under /usr/etc, preferably, so sysadmins can override it with their own /etc/sudoers) with whatever diversions from upstream they deem necessary. And atomic changes to the default behavior should be done using drop-in config files. Fedora, for example, has its own sudoers file [1] that makes use of the WHEEL group and any command can be ran as root, as long as they are in the WHEEL group (and the user is by default, at least the first created user is). Debian/Ubuntu, too, has their own sudoers file [2]. Similar mechanism as Fedora, but they make use of the SUDO group instead. Normally, when a software offers the foo.d/ directory mechanism, other packages can drop config files in them too. In case of SUDO, though, I can't say if that would be frowned upon. An example that comes to my mind is the OSC tool to interact with OBS from the command line. The User Guide [3] suggest creating a drop-in osc config file under /etc/sudoers.d "to allow all users in the osc group to build packages without entering the root password". [1] https://src.fedoraproject.org/rpms/sudo/blob/rawhide/f/sudoers [2] https://salsa.debian.org/sudo-team/sudo/-/blob/master/debian/etc/sudoers [3] https://openbuildservice.org/help/manuals/obs-user-guide/art.obs.bg.html#pro...