[25842] in Source-Commits
Re: /svn/athena r25256 - trunk/debathena/config/reactivate/debian
daemon@ATHENA.MIT.EDU (Liz A. Denys)
Tue Jul 19 18:21:26 2011
Date: Tue, 19 Jul 2011 18:21:19 -0400 (EDT)
From: "Liz A. Denys" <lizdenys@MIT.EDU>
To: Geoffrey Thomas <geofft@mit.edu>
cc: source-commits@mit.edu
In-Reply-To: <201107192111.p6JLBWX2032589@drugstore.mit.edu>
Message-ID: <alpine.DEB.2.00.1107191821160.3778@taboo>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed
ACK
--
Liz A. Denys
lizdenys@mit.edu
On Tue, 19 Jul 2011, Geoffrey Thomas wrote:
> Date: Tue, 19 Jul 2011 17:11:32 -0400
> From: Geoffrey Thomas <geofft@MIT.EDU>
> To: source-commits@mit.edu
> Subject: /svn/athena r25256 - trunk/debathena/config/reactivate/debian
>
> Author: geofft
> Date: 2011-07-19 17:11:31 -0400 (Tue, 19 Jul 2011)
> New Revision: 25256
>
> Modified:
> trunk/debathena/config/reactivate/debian/changelog
> trunk/debathena/config/reactivate/debian/snapshot-run
> Log:
> In reactivate:
> * sudo now checks its supplementary group list, not NSS, for group
> membership, and so it doesn't consider you in the admin group until
> after you run initgroups(3). Since we use sudo itself to run
> initgroups, we need to work around this somehow... the simplest fix
> is to explicitly add $USER to /etc/sudoers inside the chroot.
> At some point we may want to write our own setuid initgroups(3)
> helper and avoid sudo entirely.
>
>
> Modified: trunk/debathena/config/reactivate/debian/changelog
> ===================================================================
> --- trunk/debathena/config/reactivate/debian/changelog 2011-07-19 20:41:31 UTC (rev 25255)
> +++ trunk/debathena/config/reactivate/debian/changelog 2011-07-19 21:11:31 UTC (rev 25256)
> @@ -1,3 +1,16 @@
> +debathena-reactivate (2.0.23) unstable; urgency=low
> +
> + * sudo now checks its supplementary group list, not NSS, for group
> + membership, and so it doesn't consider you in the admin group until
> + after you run initgroups(3). Since we use sudo itself to run
> + initgroups, we need to work around this somehow... the simplest fix
> + is to explicitly add $USER to /etc/sudoers inside the chroot.
> +
> + At some point we may want to write our own setuid initgroups(3)
> + helper and avoid sudo entirely.
> +
> + -- Geoffrey Thomas <geofft@mit.edu> Tue, 19 Jul 2011 17:07:54 -0400
> +
> debathena-reactivate (2.0.22) unstable; urgency=low
>
> * Workaround for schroot/libpam-afs-session stupidity (Trac: #928)
>
> Modified: trunk/debathena/config/reactivate/debian/snapshot-run
> ===================================================================
> --- trunk/debathena/config/reactivate/debian/snapshot-run 2011-07-19 20:41:31 UTC (rev 25255)
> +++ trunk/debathena/config/reactivate/debian/snapshot-run 2011-07-19 21:11:31 UTC (rev 25256)
> @@ -55,6 +55,8 @@
>
> set +e
>
> +echo "$USER ALL=(ALL) ALL" | schr sh -c "cat >> /etc/sudoers"
> +
> cd
> schroot -c "$session" -r -p -- sudo -E -u "$USER" -- "$@"
> cd /
>
>