| Summary: | sudo pkg info (Summary, Description) says it is to run commands as root, whereas other eligible other users can be specified | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | Paul Blackburn <paul.blackburn> |
| Component: | RPM Packages | Assignee: | All Packagers <pkg-bugs> |
| Status: | NEW --- | QA Contact: | |
| Severity: | minor | ||
| Priority: | Low | CC: | davidwhodgins, luigiwalser |
| Version: | Cauldron | Keywords: | UPSTREAM |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Source RPM: | sudo-1.9.5p2-2.1.mga8.src.rpm | CVE: | |
| Status comment: | |||
|
Description
Paul Blackburn
2023-01-20 18:09:29 CET
Our package description is a 1:1 copy of the description provided by the sudo developer. From https://www.sudo.ws/about/intro/ "Sudo (su “do”) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments." Our package description: "Sudo (superuser do) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. So? So you need to file an upstream bug that sudos manpage doesn't match with the general description from the dev. https://bugzilla.sudo.ws/index.cgi Hello Frank, No, that is incorrect. I suggest you read the man page. sudo may be used to access "another user" (or a specific group) privilege. It is *not* restricted to granting access only as superuser (root). The problem here is that the description "urpmq -i sudo" is suggesting it is for accessing just superuser (root). Most people would probably think that sudo is all about getting superuser (root) but there is more to it than that. Please read again the link which i provided. This is an upstream (minor) issue as the sudo developers provide two different descriptions of their package. So you should file an upstream bug. Mageia has chosen the first description as many other linux distributions too (OpenMandriva, Fedora, AlmaLinux, Amazon Linux, CentOS, PCLinuxOS, Rocky Linux, Solus, ...). So you are barking at the wrong tree (Mageia)... Here again two links for the same package (sudo) from the same homepage and developer: https://www.sudo.ws/about/intro/ "Sudo (su “do”) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments. Sudo operates on a per-command basis, it is not a replacement for the shell." https://www.sudo.ws/docs/man/sudo.man/ "sudo allows a permitted user to execute a command as the superuser or another user, as specified by the security policy. The invoking user's real (not effective) user-ID is used to determine the user name with which to query the security policy. Gentlemen, please. Paul is actually right: the sudo man page makes it clear (but you do have to read a lot of it) that you can invoke cammsnd as any specified - & allowed - user; but the defa default is root. -u for a different user. The complaint is just about the wording in the package Summary & Description which does not make that clear. My Cauldron system is at this moment not giving full urpmq information, just: "Summary : Allows command execution as root for specified users" which theme is continued in the reported Description comment 0. I suppose it should be corrected. The bug is marked 'minor'. It would have been handy to bundle this small point with bug 31439. Assigning globally as sudo has no one maintainer. See Also:
(none) =>
https://bugs.mageia.org/show_bug.cgi?id=31439 Root privileges are required to run programs as another user or group, so being able to run programs as another user is just an example of the things that can be done with root privileges. Lowering the priority. Priority:
Normal =>
Low Hello Dave,
The issue here is not about whether root privileges are required.
This is an issue of misleading documentation (from "urpmq -i sudo") vis-a-vis the man page for sudo.
Specifically that "urpmq -i sudo" states:
"run some (or all) commands as root".
=======
NB: nothing in this suggests that sudo can be used to run a command as a non-root user or a particular group. It seems to suggest it is just for running commands as root.
While, man sudo states:
"sudo allows a permitted user to execute a command as the _superuser_or_another_user, as specified by the security policy."
The man sudo description goes on to show in the Examples section both for specific user and group privilege:
exhibit-a: (non-root user)
"
To edit the index.html file as user www:
$ sudoedit -u www ~www/htdocs/index.html
"
exhibit-b: (group)
"
To view system logs only accessible to root and users in the adm group:
$ sudo -g adm more /var/log/syslog
"
So, in summary, the description from "urpmq -i sudo" only mentions root
but in reality sudo can do more.
This is a documentation error of ommission. One would not expect a fully detailed explanation in the output from "urpmq -i sudo" but equally one might expect a little bit more than "run some (or all) commands as root".
Would it be possible to get a proposal for the fix? I would also suggest reporting this to upstream. Pkg maintainers should not need to check (read: are not checking) if the upstream pkg summary or description is in match what the man pages are saying or vice versa. Hello Jani, Thanks. I drafted 3 alternatives for consideration/modification. link: https://pastebin.com/EdYLps5y HTH I'm not in favor of fixing this cosmetic issue until the change is accepted upstream. what is the procedure for notiying upstream? s/notiying/notifying/ Register at https://bugzilla.sudo.ws/index.cgi and file a bug report there. Keywords:
(none) =>
UPSTREAM filed bug report upstream https://bugzilla.sudo.ws/show_bug.cgi?id=1044 Thanks for reporting this upstream. It would have been wise to point out that the informations given by the developer, differs between their "about" and "man" page. Your report looks now like that "urpmq -i sudo" yields a wrong result, which is not the case, as we use the actual package description which is provided by the developer on their "about" page. received email notification from upstream: issue resolved What's the change that needs to be made to the package then (note: will only be done for Cauldron). CC:
(none) =>
luigiwalser Hello David, Upstream have updated: https://www.sudo.ws/about/intro/ Previously, it read: "Sudo (su “do”) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as root while logging all commands and arguments." After they resolved https://bugzilla.sudo.ws/show_bug.cgi?id=1044 it now reads: "Sudo (su “do”) allows a system administrator to give certain users (or groups of users) the ability to run some (or all) commands as the superuser or another user, while logging all commands and arguments." To be pedantic: where they have "superuser or another user" it should more accurately read ""superuser or another user or member of specific group". Also, for reference, comment 10 has alternate wording for consideration. ( from comment 10: link to: https://pastebin.com/EdYLps5y ) |