Bug 365178

Summary: yast2 sudoers will put line ALL ALL = (ALL) ALL wrong into /etc/sudoers
Product: [openSUSE] openSUSE 10.3 Reporter: Felix-Nicolai Müller <fnmueller>
Component: YaST2Assignee: Katarina Machalkova <kmachalkova>
Status: RESOLVED WONTFIX QA Contact: Jiri Srain <jsrain>
Severity: Normal    
Priority: P3 - Medium CC: fnmueller
Version: Final   
Target Milestone: ---   
Hardware: All   
OS: openSUSE 10.3   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: Screenshot showing how sudo can be broken
Log Files /var/log/YaST2

Description Felix-Nicolai Müller 2008-02-27 12:52:45 UTC 
When configuring /etc/sudoers via yast2 --> security --> sudo to not ask for root password upon a certain command it will put the "ALL     ALL = (ALL) ALL" line in the wrong place, causing sudo still to ask for the root password.


It is:
marcel  ALL = (%root) NOPASSWD: /etc/init.d/smb start,/sbin/shutdown -h +60
ALL     ALL = (ALL) ALL  

It should be:
ALL     ALL = (ALL) ALL  
marcel  ALL = (%root) NOPASSWD: /etc/init.d/smb start,/sbin/shutdown -h +60


Even worse, yast will change back the sudoers file to :
marcel  ALL = (%root) NOPASSWD: /etc/init.d/smb start,/sbin/shutdown -h +60
ALL     ALL = (ALL) ALL  

when adding a new command. Even though I used visudo to force ALL     ALL = (ALL) ALL to be the first line.
Comment 1 Felix-Nicolai Müller 2008-02-27 12:54:29 UTC 
I just realized this big might be connected:
https://bugzilla.novell.com/show_bug.cgi?id=339925
Comment 2 Katarina Machalkova 2008-03-03 09:41:37 UTC 
Can you please try to reproduce (e.g. with clean sudoers file) and attach yast logs? Thanks
Comment 3 Felix-Nicolai Müller 2008-03-03 15:56:49 UTC 
Created attachment 198289 [details]
Screenshot showing how sudo can be broken

I added this picture to actually show how /etc/sudoers can be broken using yast. So it is really clear what we are talking about. /var/log/YaST2 will follow promply.
And yes, I am aware that it is weird to add single commands like this, but this was done on purpose.
Comment 4 Felix-Nicolai Müller 2008-03-03 16:13:12 UTC 
Created attachment 198292 [details]
Log Files /var/log/YaST2

The requested log files.
Comment 5 Katarina Machalkova 2008-11-18 16:41:06 UTC 
This is (hopefully) resolved for openSUSE 11.1 (bug #439164)

Anja, do we want (probably only optional) online update here, for openSUSE 10.3 and 11.0? 

On one hand, currently yast2-sudo can re-shuffle the rules in sudoers file in such a way that rules added by the user have no effect. On the other hand, to resolve the issue, great part of the module had to be rewritten and the final diff has 1597 lines.
Comment 6 Dirk Mueller 2008-11-20 00:49:21 UTC 
no update here, if it is fixed for 11.1.patch is too intrusive for backporting and limited numbers of users affected.
Comment 7 Katarina Machalkova 2008-11-20 08:54:39 UTC 
Wontfix for 11.0, 10.3 and anything older then. I'm sorry