Skip to content
This repository has been archived by the owner on Sep 17, 2024. It is now read-only.

[BUG]: /etc/sudoers is not set correctly (breaks ansible tasks relying on aur helper) #24

Closed
LorenzoBettini opened this issue Sep 6, 2022 · 3 comments · Fixed by #27
Closed

[BUG]: /etc/sudoers is not set correctly (breaks ansible tasks relying on aur helper) #24

LorenzoBettini opened this issue Sep 6, 2022 · 3 comments · Fixed by #27
Labels
bug Something isn't working

Comments

@LorenzoBettini
Copy link

Describe the bug

The /etc/sudoers generated by the installer includes /etc/sudoers.d before configuring wheel:

## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d

%wheel ALL=(ALL) ALL

Defaults pwfeedback

This way, files generated into /etc/sudoers.d will not work as expected. It will break Ansible playbooks that rely on an AUR builder, configured in the wheel, that has to execute pacman without password, as described here: https://wiki.archlinux.org/title/Ansible#AUR (as far as I know, that's the correct way to execute ansible tasks that install packages from AUR)

To reproduce the bug

You have to execute an ansible playbook that relies on the AUR builder user as described here: https://wiki.archlinux.org/title/Ansible#AUR

I could set up one for you, but I don't think that's necessary. The configuration of sudoers as you generate should break also other use cases.

Expected behavior

To fix the problem it is enough to invert the configuration of wheel and the inclusion:

%wheel ALL=(ALL) ALL

## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d
...

instead of the current

## Read drop-in files from /etc/sudoers.d
@includedir /etc/sudoers.d

%wheel ALL=(ALL) ALL

In any case, I see that the other distributions (that ones I've used, including Arch itself) do not append to the end of the file as you do in

jade/src/functions/users.rs

Line 67 in 3e72234

files_eval(
but instead uncomment the line that's already part of the sudoers file:

## Uncomment to allow members of group wheel to execute any command
%wheel ALL=(ALL:ALL) ALL

Screenshots

No response

Additional context

No response
@LorenzoBettini LorenzoBettini added the bug Something isn't working label Sep 6, 2022
@LorenzoBettini
Copy link
Author

By breaking ansible playbooks I mean that the playbook stops asking for the password of the aur_builder, which, as I said, should not happen because the user itself has been created correctly and the corresponding sudoers.d file generated correctly:

TASK ... *************************************************************

We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

[sudo] password for aur_builder:

@not-my-segfault
Copy link
Member

This can be fixed by sed-ing the file instead, thanks for the feedback! I'll look into this today

@LorenzoBettini
Copy link
Author

Yes, that's also what I usually do in my Arch installation script ;)

not-my-segfault pushed a commit that referenced this issue Sep 7, 2022
Fix sudoers issue (#24)
6166ea2
@not-my-segfault not-my-segfault mentioned this issue Sep 7, 2022
Merged
not-my-segfault pushed a commit that referenced this issue Sep 7, 2022
Fix sudoers issue (#24)
b855a36
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix sudoers issue (#24) crystal-linux/jade
2 participants
@LorenzoBettini @not-my-segfault