Update on sudo-hacking. Sudo now checks for configuration files in any number of locations, determined by the ./configure parameter "sysconfdir". Currently, I have it configured thus: |%if %{defined _distconfdir}|| || --sysconfdir="/etc /usr/etc" \|| ||%endif| In this case, sudo first looks for configuration files in '/etc' and then '/usr/etc'. (Three or more locations are possible but likely not practical.) I have tested it out, and It works at least for the sudoers file. So, yay! No symlinks! Caveats: * The functions I added to sudo are duplicated; I added identical code to two places. I still need to fix that. * This is my first time hacking Makefiles. Configure seems to expect "sysconfdir" to contain only one path. I'm not sure if there is a standard for something like this. * Error messages might be confusing. Documentation will also need lots of work. * I don't know how to get the changes to apply within the sudoers file. The last line of sudoers points to the sudoers.d directory. I had to hardcode the directory instead of using some variation of "@sysconfdir@" like I was able to in the Makefiles. --Jason On 11/21/22 18:00, Jason Sikes wrote:
On 11/15/22 01:32, Richard Brown wrote:
I suppose what we could do (though ugly) is something like this
/usr/etc/sudoers.d - packaged snippits /etc/sudoers - the user provided config file, defined in the %configuration step just like now but SYMLIKKED to a file /usr/etc/sudoers /etc/sudoers.d - user provided snippits
This would mean we'd have a nice read-only sudoers in /usr/etc, but it would be read from /etc and a user could just replace the symlink with their own config if they felt like it.
I did just that just now as a proof-of-concept, and it seems to work!
https://build.opensuse.org/package/revisions/home:jsikes:branches:bsc1205118...
I tested it out just now, and visudo seems to magically do what we want.
Of course, it would be better if sudo would work the way we really want without using this symlink hack, but we have this.
I'm still looking at how we can get sudo to check multiple sudoers files.
--Jason