Ubuntu
sssd package

libsss-sudo.postinst clobbers local change to /etc/nsswitch.conf

Bug #1781991 reported by Robie Basak
30
This bug affects 5 people
Affects Status Importance Assigned to Milestone
sssd (Debian)
Fix Released
Unknown
sssd (Ubuntu)
Fix Released
High
Andreas Hasenack
Xenial
Fix Released
Undecided
Andreas Hasenack
Bionic
Fix Released
Undecided
Andreas Hasenack

Bug Description

[Impact]
The libsss-sudo package insists on inserting a "sudoers: files sss" configuration line into /etc/nsswitch.conf at install time and every upgrade after that. If the line already exists and has no "sss" component, the postinst adds that.

This behavior ignores changes the user might have done. For example, some users remove "sss", like seen in bug #1249777. At the next upgrade, libsss-sudo will just add it back again.

The proposed fix here is already applied in debian and later ubuntu releases, and only triggers the nsswitch.conf check on first install.

[Test Case]

* Install libsss-sudo:
$ sudo apt install libsss-sudo

* Verify the sudoers line with sss was added to /etc/nsswitch.conf:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

* Remove sss from that line, so it becomes:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

* Reinstall the package (or upgrade to a package without the fix):
sudo apt install --reinstall libsss-sudo

* Without the fix, sss will be back:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

* With the fixed package, the line will remain as you left it before, without sss:
$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

[Regression Potential]
Someone could perhaps be surprised that reinstalling the package won't make it "work again", in the case they removed "sss" from the sudoers line in /etc/nsswitch.conf and expected a reinstallation to fix it.

[Other Info]
One could argue that if the user doesn't want to use sudo with sss, then why install libsss-sudo?

See original description

Related branches

~ahasenack/ubuntu/+source/sssd:xenial-sss-initial-install-only
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 30 lines (+10/-2)
2 files modified
debian/changelog (+7/-0)
debian/libsss-sudo.postinst (+3/-2)
~ahasenack/ubuntu/+source/sssd:bionic-sss-initial-install-only
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Canonical Server packageset reviewers: Pending requested
Diff: 30 lines (+10/-2)
2 files modified
debian/changelog (+7/-0)
debian/libsss-sudo.postinst (+3/-2)
~ahasenack/ubuntu/+source/sssd:cosmic-sssd-merge-1.16.3
Christian Ehrhardt  (community): Approve
Canonical Server: Pending requested
Diff: 230 lines (+162/-1)
2 files modified
debian/changelog (+160/-0)
debian/control (+2/-1)
Revision history for this message
Robie Basak (racb) wrote :

Debian bug link: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903917

Changed in sssd (Ubuntu):
status: New → Triaged
importance: Undecided → High
Bug Watch Updater (bug-watch-updater)
Changed in sssd (Debian):
status: Unknown → New
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This is fixed in debian's 1.16.3-1, which I will try to update in cosmic in time for feature freeze.

Andreas Hasenack (ahasenack)
Changed in sssd (Ubuntu):
assignee: nobody → Andreas Hasenack (ahasenack)
status: Triaged → In Progress
Andreas Hasenack (ahasenack)
Changed in sssd (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Landed in cosmic.

Changed in sssd (Ubuntu):
status: Fix Committed → Fix Released
Bug Watch Updater (bug-watch-updater)
Changed in sssd (Debian):
status: New → Fix Released
Revision history for this message
Christian Loos (cloos) wrote :

There is currently only a fix for 18.10.
How about 16.04 and 18.04?

Revision history for this message
Robie Basak (racb) wrote :

Are you saying that you've checked and can confirm that 16.04 and 18.04 are affected? If so, please could you confirm the package versions of sssd in which you have verified that the bug is present?

Depending on the fix it may be easy to backport to fix 16.04 and 18.04. But are users actually impacted enough that this would be useful? See https://wiki.ubuntu.com/StableReleaseUpdates

Robie Basak (racb)
tags: added: bitesize
Revision history for this message
Christian Loos (cloos) wrote :

I can confirm that 16.04 and 18.04 are also affected:

# Ubuntu 16.04
root@xxx:~# lsb_release -d
Description: Ubuntu 16.04.5 LTS
root@xxx:~# apt list libsss-sudo
Listing... Done
libsss-sudo/xenial-updates,now 1.13.4-1ubuntu1.12 amd64 [installed,automatic]
N: There are 2 additional versions. Please use the '-a' switch to see them.
root@xxx:~# grep sudo /etc/nsswitch.conf
sudoers: files
root@xxx:~# apt install --reinstall libsss-sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 1 not upgraded.
Need to get 0 B/13.3 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 105169 files and directories currently installed.)
Preparing to unpack .../libsss-sudo_1.13.4-1ubuntu1.12_amd64.deb ...
Unpacking libsss-sudo (1.13.4-1ubuntu1.12) over (1.13.4-1ubuntu1.12) ...
Setting up libsss-sudo (1.13.4-1ubuntu1.12) ...
Checking NSS setup...
Processing triggers for libc-bin (2.23-0ubuntu10) ...
root@xxx:~# grep sudo /etc/nsswitch.conf
sudoers: files sss

# Ubuntu 18.04
root@xxx:~# lsb_release -d
Description: Ubuntu 18.04.1 LTS
root@xxx:~# apt list libsss-sudo
Listing... Done
libsss-sudo/bionic,now 1.16.1-1ubuntu1 amd64 [installed,automatic]
root@xxx:~# grep sudo /etc/nsswitch.conf
sudoers: files
root@xxx:~# apt install --reinstall libsss-sudo
Reading package lists... Done
Building dependency tree
Reading state information... Done
0 upgraded, 0 newly installed, 1 reinstalled, 0 to remove and 0 not upgraded.
Need to get 0 B/13.1 kB of archives.
After this operation, 0 B of additional disk space will be used.
(Reading database ... 112584 files and directories currently installed.)
Preparing to unpack .../libsss-sudo_1.16.1-1ubuntu1_amd64.deb ...
Unpacking libsss-sudo (1.16.1-1ubuntu1) over (1.16.1-1ubuntu1) ...
Setting up libsss-sudo (1.16.1-1ubuntu1) ...
Checking NSS setup...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
root@xxx:~# grep sudo /etc/nsswitch.conf
sudoers: files sss

As here a config file is changed by a package update/reinstall, which could have unwanted side effects and is unnoticed by the user, I think this should be fixed for the LTS releases.

Changed in sssd (Ubuntu Xenial):
status: New → Confirmed
Changed in sssd (Ubuntu Bionic):
status: New → Confirmed
Robie Basak (racb)
tags: added: server-next
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

This is the fix from debian:
diff --git a/debian/libsss-sudo.postinst b/debian/libsss-sudo.postinst
index a9c061ede..272e68f1e 100644
--- a/debian/libsss-sudo.postinst
+++ b/debian/libsss-sudo.postinst
@@ -33,7 +33,8 @@ insert_nss_entry() {
     fi
 }

-insert_nss_entry
-
+if [ "$1" = configure ] && [ -z "$2" ]; then
+ insert_nss_entry
+fi

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Fixed in cosmic and later.

Andreas Hasenack (ahasenack)
Changed in sssd (Ubuntu Xenial):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in sssd (Ubuntu Bionic):
assignee: nobody → Andreas Hasenack (ahasenack)
Changed in sssd (Ubuntu Xenial):
status: Confirmed → In Progress
Changed in sssd (Ubuntu Bionic):
status: Confirmed → In Progress
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

https://salsa.debian.org/sssd-team/sssd/commit/9d3189a1730672e532773f41cdb55c367b62bbaf direct link to the debian fix

Andreas Hasenack (ahasenack)
description: updated
Andreas Hasenack (ahasenack)
description: updated
Revision history for this message
Timo Aaltonen (tjaalton) wrote : Please test proposed package

Hello Robie, or anyone else affected,

Accepted sssd into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.16.1-1ubuntu1.3 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in sssd (Ubuntu Bionic):
status: In Progress → Fix Committed
tags: added: verification-needed verification-needed-bionic
Changed in sssd (Ubuntu Xenial):
status: In Progress → Fix Committed
tags: added: verification-needed-xenial
Revision history for this message
Timo Aaltonen (tjaalton) wrote :

Hello Robie, or anyone else affected,

Accepted sssd into xenial-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/1.13.4-1ubuntu1.15 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-xenial to verification-done-xenial. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-xenial. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Bionic verification

First, confirming the bug:
ubuntu@bionic-verification-sssd-sudo:~$ apt-cache policy libsss-sudo
libsss-sudo:
  Installed: 1.16.1-1ubuntu1.2
  Candidate: 1.16.1-1ubuntu1.2
  Version table:
 *** 1.16.1-1ubuntu1.2 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-updates/main amd64 Packages

$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

Removing sss and checking again:
ubuntu@bionic-verification-sssd-sudo:~$ sudo vi /etc/nsswitch.conf
ubuntu@bionic-verification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

Reinstalling brings sss back to the sudoers line:
ubuntu@bionic-verification-sssd-sudo:~$ sudo apt install --reinstall libsss-sudo
Reading package lists... Done
...
Processing triggers for libc-bin (2.27-3ubuntu1) ...
ubuntu@bionic-verification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

Now, prior to the upgrade to the package in proposed, removing the sss bit again:
ubuntu@bionic-verification-sssd-sudo:~$ sudo vi /etc/nsswitch.conf
ubuntu@bionic-verification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

ubuntu@bionic-verification-sssd-sudo:~$ sudo apt install libsss-sudo
Reading package lists... Done
...
ubuntu@bionic-verification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

"sss" is not back, confirming the fix.
ubuntu@bionic-verification-sssd-sudo:~$ apt-cache policy libsss-sudo
libsss-sudo:
  Installed: 1.16.1-1ubuntu1.3
  Candidate: 1.16.1-1ubuntu1.3
  Version table:
 *** 1.16.1-1ubuntu1.3 500
        500 http://br.archive.ubuntu.com/ubuntu bionic-proposed/main amd64 Packages

But it's again placed there on a fresh install:
ubuntu@bionic-verification-sssd-sudo:~$ sudo apt purge libsss-sudo -y
Reading package lists... Done
Building dependency tree
...
ubuntu@bionic-verification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
ubuntu@bionic-verification-sssd-sudo:~$ sudo apt install libsss-sudo
Reading package lists... Done
Building dependency tree
...
ubuntu@bionic-verification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

Bionic verification succeeded.

tags: added: verification-done-bionic
removed: verification-needed-bionic
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Xenial verification

First, reproducing the bug with the current package:
ubuntu@xenial-berification-sssd-sudo:~$ apt-cache policy libsss-sudo
libsss-sudo:
  Installed: (none)
  Candidate: 1.13.4-1ubuntu1.14
  Version table:
     1.13.4-1ubuntu1.14 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages

ubuntu@xenial-berification-sssd-sudo:~$ sudo apt install libsss-sudo
...
ubuntu@xenial-berification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

Removing sss:
ubuntu@xenial-berification-sssd-sudo:~$ sudo vi /etc/nsswitch.conf
ubuntu@xenial-berification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

Reinstall puts it back:
ubuntu@xenial-berification-sssd-sudo:~$ sudo apt install --reinstall libsss-sudo
...
ubuntu@xenial-berification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

Now enabling proposed:
ubuntu@xenial-berification-sssd-sudo:~$ apt-cache policy libsss-sudo
libsss-sudo:
  Installed: 1.13.4-1ubuntu1.14
  Candidate: 1.13.4-1ubuntu1.15
  Version table:
     1.13.4-1ubuntu1.15 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages
 *** 1.13.4-1ubuntu1.14 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages

Removing sss again from nsswitch.conf:
ubuntu@xenial-berification-sssd-sudo:~$ sudo vi /etc/nsswitch.conf
ubuntu@xenial-berification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

Doing the upgrade this time doesn't add sss back:
ubuntu@xenial-berification-sssd-sudo:~$ sudo apt install libsss-sudo
Reading package lists... Done
...
ubuntu@xenial-berification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files

And I have the new package installed now:
ubuntu@xenial-berification-sssd-sudo:~$ apt-cache policy libsss-sudo
libsss-sudo:
  Installed: 1.13.4-1ubuntu1.15
  Candidate: 1.13.4-1ubuntu1.15
  Version table:
 *** 1.13.4-1ubuntu1.15 500
        500 http://br.archive.ubuntu.com/ubuntu xenial-proposed/main amd64 Packages

A fresh install, though, adds sss back, as expected:
ubuntu@xenial-berification-sssd-sudo:~$ sudo apt purge libsss-sudo
Reading package lists... Done
Building dependency tree
...
ubuntu@xenial-berification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
ubuntu@xenial-berification-sssd-sudo:~$
ubuntu@xenial-berification-sssd-sudo:~$ sudo apt install libsss-sudo
Reading package lists... Done
...
ubuntu@xenial-berification-sssd-sudo:~$ grep ^sudoers /etc/nsswitch.conf
sudoers: files sss

Xenial verification succeeded.

tags: added: verification-done-xenial
removed: verification-needed-xenial
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.13.4-1ubuntu1.15

---------------
sssd (1.13.4-1ubuntu1.15) xenial; urgency=medium

  * d/libsss-sudo.postinst: Add sss entry to nsswitch only on initial install.
    (LP: #1781991)

 -- Andreas Hasenack <email address hidden> Tue, 28 May 2019 10:49:17 -0300

Changed in sssd (Ubuntu Xenial):
status: Fix Committed → Fix Released
Revision history for this message
Łukasz Zemczak (sil2100) wrote : Update Released

The verification of the Stable Release Update for sssd has completed successfully and the package has now been released to -updates. Subsequently, the Ubuntu Stable Release Updates Team is being unsubscribed and will not receive messages about this bug report. In the event that you encounter a regression using the package from -updates please report a new bug using ubuntu-bug and tag the bug report regression-update so we can easily find any regressions.

Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package sssd - 1.16.1-1ubuntu1.3

---------------
sssd (1.16.1-1ubuntu1.3) bionic; urgency=medium

  * d/libsss-sudo.postinst: Add sss entry to nsswitch only on initial install.
    Thanks to Timo Aaltonen <email address hidden> (LP: #1781991)

 -- Andreas Hasenack <email address hidden> Tue, 28 May 2019 10:52:13 -0300

Changed in sssd (Ubuntu Bionic):
status: Fix Committed → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.