Bug#992153: bullseye-pu: package cloud-init/20.4.1-2+deb11u1
On Fri, Aug 13, 2021 at 03:07:46PM -0600, Ross Vandegrift wrote:
> [ Checklist ]
> [X] *all* changes are documented in the d/changelog
> [X] I reviewed all changes and I approve them
> [X] attach debdiff against the package in (old)stable
Apologies - reportbug -r seems to have missed the attachment. Here it is.
Ross
diff -Nru cloud-init-20.4.1/debian/changelog cloud-init-20.4.1/debian/changelog
--- cloud-init-20.4.1/debian/changelog 2021-03-19 10:18:59.000000000 -0600
+++ cloud-init-20.4.1/debian/changelog 2021-08-12 18:47:26.000000000 -0600
@@ -1,3 +1,11 @@
+cloud-init (20.4.1-2+deb11u1) bullseye; urgency=high
+
+ * Team upload.
+ * cherry-pick upstream fix for duplicate includes in /etc/sudoers
+ (Closes: #991629)
+
+ -- Ross Vandegrift <rvandegrift@debian.org> Thu, 12 Aug 2021 18:47:26 -0600
+
cloud-init (20.4.1-2) unstable; urgency=high
* Avoid logging generated passwords to world-readable log files.
diff -Nru cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch
--- cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch 1969-12-31 17:00:00.000000000 -0700
+++ cloud-init-20.4.1/debian/patches/0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch 2021-08-12 18:47:26.000000000 -0600
@@ -0,0 +1,64 @@
+From: Jordi Massaguer Pla <jmassaguerpla@suse.de>
+Date: Fri, 29 Jan 2021 15:43:56 +0100
+Subject: includedir in suoders can be prefixed by "arroba" (#783)
+
+Since version 1.9.1, @includedir can be used in the sudoers files
+instead of #includedir:
+
+https://github.com/sudo-project/sudo/releases/tag/SUDO_1_9_1
+
+Actually "@includedir" is the modern syntax, and "#includedir" the historic
+syntax. It has been considered that "#includedir" was too puzzling because
+it started with a "#" that otherwise denotes comments.
+
+This happens to be the default in SUSE Linux enterprise sudoer package,
+so cloudinit should take this into account.
+
+Otherwise, cloudinit was adding an extra #includedir, which was
+resulting on the files under /etc/sudoers.d being included twice, one by
+@includedir from the SUSE package, one by the @includedir from
+cloudinit. The consequence of this, was that if you were defining an
+Cmnd_Alias inside any of those files, this was being defined twice and
+creating an error when using sudo.
+---
+ cloudinit/distros/__init__.py | 2 +-
+ tests/unittests/test_distros/test_generic.py | 13 +++++++++++++
+ 2 files changed, 14 insertions(+), 1 deletion(-)
+
+diff --git a/cloudinit/distros/__init__.py b/cloudinit/distros/__init__.py
+index 1e11847..220bd11 100755
+--- a/cloudinit/distros/__init__.py
++++ b/cloudinit/distros/__init__.py
+@@ -673,7 +673,7 @@ class Distro(persistence.CloudInitPickleMixin, metaclass=abc.ABCMeta):
+ found_include = False
+ for line in sudoers_contents.splitlines():
+ line = line.strip()
+- include_match = re.search(r"^#includedir\s+(.*)$", line)
++ include_match = re.search(r"^[#|@]includedir\s+(.*)$", line)
+ if not include_match:
+ continue
+ included_dir = include_match.group(1).strip()
+diff --git a/tests/unittests/test_distros/test_generic.py b/tests/unittests/test_distros/test_generic.py
+index 4460748..336150b 100644
+--- a/tests/unittests/test_distros/test_generic.py
++++ b/tests/unittests/test_distros/test_generic.py
+@@ -119,6 +119,19 @@ class TestGenericDistro(helpers.FilesystemMockingTestCase):
+ self.assertIn("josh", contents)
+ self.assertEqual(2, contents.count("josh"))
+
++ def test_sudoers_ensure_only_one_includedir(self):
++ cls = distros.fetch("ubuntu")
++ d = cls("ubuntu", {}, None)
++ self.patchOS(self.tmp)
++ self.patchUtils(self.tmp)
++ for char in ['#', '@']:
++ util.write_file("/etc/sudoers", "{}includedir /b".format(char))
++ d.ensure_sudo_dir("/b")
++ contents = util.load_file("/etc/sudoers")
++ self.assertIn("includedir /b", contents)
++ self.assertTrue(os.path.isdir("/b"))
++ self.assertEqual(1, contents.count("includedir /b"))
++
+ def test_arch_package_mirror_info_unknown(self):
+ """for an unknown arch, we should get back that with arch 'default'."""
+ arch_mirrors = gapmi(package_mirrors, arch="unknown")
diff -Nru cloud-init-20.4.1/debian/patches/series cloud-init-20.4.1/debian/patches/series
--- cloud-init-20.4.1/debian/patches/series 2021-03-19 10:02:44.000000000 -0600
+++ cloud-init-20.4.1/debian/patches/series 2021-08-12 18:47:26.000000000 -0600
@@ -6,3 +6,4 @@
0009-Drop-all-unused-extended-version-handling.patch
0012-Fix-message-when-a-local-is-missing.patch
dont_log_generated_passwords.patch
+0009-includedir-in-suoders-can-be-prefixed-by-arroba-783.patch
Reply to: