Skip to content

includedir in suoders can be prefixed by "arroba"#783

Merged
TheRealFalcon merged 5 commits into
canonical:masterfrom
jordimassaguerpla:use_arroba_to_include_sudoers_directory
Jan 29, 2021
Merged

includedir in suoders can be prefixed by "arroba"#783
TheRealFalcon merged 5 commits into
canonical:masterfrom
jordimassaguerpla:use_arroba_to_include_sudoers_directory

Conversation

@jordimassaguerpla
Copy link
Copy Markdown
Contributor

@jordimassaguerpla jordimassaguerpla commented Jan 22, 2021

Proposed Commit Message

Since version 1.9.1, @includedir can be used in the sudoers files
instead of #includedir:

https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_1

This happens to be the default in SUSE Linux enterprise sudoer package,
so cloudinit should take this into account.

Otherwise, cloudinit was adding an extra #includedir, which was
resulting on the files under /etc/sudoers.d being included twice, one by
@includedir from the SUSE package, one by the @includedir from
cloudinit. The consequence of this, was that if you were defining an
Cmnd_Alias inside any of those files, this was being defined twice and
creating an error when using sudo.

Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.de>```

## Additional Context
<!-- If relevant -->

## Test Steps
<!-- Please include any steps necessary to verify (and reproduce if
this is a bug fix) this change on a live deployed system,
including any necessary configuration files, user-data,
setup, and teardown. Scripts used may be attached directly to this PR. -->

Add "@includedir /etc/sudoers" into /etc/sudoers

Apply cloud-init and see you have both, "@includedir /etc/sudoers" and "#includedir /etc/sudoers".

After the fix, you should only have "@includedir"

## Checklist:
<!-- Go over all the following points, and put an `x` in all the boxes
that apply. -->
 - [ ] My code follows the process laid out in [the documentation](https://cloudinit.readthedocs.io/en/latest/topics/hacking.html)
 - [ ] I have updated or added any unit tests accordingly
 - [ ] I have updated or added any documentation accordingly

@jordimassaguerpla
Copy link
Copy Markdown
Contributor Author

jordimassaguerpla commented Jan 22, 2021

Hi. I already signed the individual contributors agreement. Could you retry the github action?

@jordimassaguerpla
includedir in suoders can be prefixed by "arroba"
d580807 
Since version 1.9.1, @includedir can be used in the sudoers files
instead of #includedir:

https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_1

Actually "@includedir" is the modern syntax, and "#includedir" the historic
syntax. It has been considered that "#includedir" was too puzzling because
it started with a "#" that otherwise denotes comments.

This happens to be the default in SUSE Linux enterprise sudoer package,
so cloudinit should take this into account.

Otherwise, cloudinit was adding an extra #includedir, which was
resulting on the files under /etc/sudoers.d being included twice, one by
@includedir from the SUSE package, one by the @includedir from
cloudinit. The consequence of this, was that if you were defining an
Cmnd_Alias inside any of those files, this was being defined twice and
creating an error when using sudo.

Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.de>
@jordimassaguerpla jordimassaguerpla force-pushed the use_arroba_to_include_sudoers_directory branch from d62bd1f to d580807 Compare January 25, 2021 10:26
@jordimassaguerpla
Copy link
Copy Markdown
Contributor Author

jordimassaguerpla commented Jan 25, 2021

I was missing #787

TheRealFalcon
TheRealFalcon suggested changes Jan 26, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@TheRealFalcon TheRealFalcon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@jordimassaguerpla Thanks for this. The change looks good, but can you add a unit test or two as well? It would look similar and go in the same place as the one I'm linking here, but ensure that when a line containing the # or @ include is encountered, that it correctly keeps the line rather than appending a new one.
https://github.com/canonical/cloud-init/blob/master/tests/unittests/test_distros/test_generic.py#L109

@TheRealFalcon TheRealFalcon self-assigned this Jan 26, 2021
@jordimassaguerpla
Add test for not adding 2 includedirs when there is one with arroba
8e4298f 
Signed-off-by: Jordi Massaguer Pla <jmassaguerpla@suse.de>
TheRealFalcon
TheRealFalcon reviewed Jan 28, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@TheRealFalcon TheRealFalcon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the test. I left one small suggestion just to make sure we're hitting both include characters. After that, we should be good to merge!

Comment thread tests/unittests/test_distros/test_generic.py Outdated
@jordimassaguerpla @TheRealFalcon
Update tests/unittests/test_distros/test_generic.py
cb767fb 
Co-authored-by: James Falcon <TheRealFalcon@users.noreply.github.com>
TheRealFalcon
TheRealFalcon approved these changes Jan 29, 2021
View reviewed changes
Copy link
Copy Markdown
Contributor

@TheRealFalcon TheRealFalcon left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good. Thanks!

@TheRealFalcon TheRealFalcon merged commit 36ddf1e into canonical:master Jan 29, 2021
TheRealFalcon added a commit to TheRealFalcon/cloud-init that referenced this pull request Mar 4, 2021
@TheRealFalcon
Integration test for canonical#783
5f7d2ac 
Newer verisons of /etc/sudoers prefer @includedir over
#includedir. Ensure we handle that properly and don't include an
additional #includedir when one isn't warranted.
@TheRealFalcon TheRealFalcon mentioned this pull request Mar 4, 2021
Merged
3 tasks
TheRealFalcon added a commit that referenced this pull request Mar 11, 2021
@TheRealFalcon
Integration test for #783 (#832)
d95b448 
Newer verisons of /etc/sudoers prefer @includedir over
#includedir. Ensure we handle that properly and don't include an
additional #includedir when one isn't warranted.
This was referenced May 12, 2023
Closed
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@TheRealFalcon TheRealFalcon TheRealFalcon approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@TheRealFalcon TheRealFalcon

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@jordimassaguerpla @TheRealFalcon