Hi,

since sudo v1.9.0 it's possible to write sudo plugins in Python 3,
see e.g. https://blog.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/

This requires to build the package with --enable-python though,
to provide the according python_plugin.so.

Thanks for consideration!

regards
-mika-

Sounds neat.

Will this introduce a python dependency to the sudo package?

Greetings
Marc

* Marc Haber [Mon Jul 12, 2021 at 07:50:26PM +0200]:
libpython3.9 (+ libpython3.9-minimal libpython3.9-stdlib).

So maybe it makes sense to provide a sudo-python package, similar to
what's available with sudo-ldap already? Next question would be
then, what users who want to use python *and* ldap at the same time
should install? Then it might be worth also adding a sudo-full package,
which provides all available features (python, ldap,...)?

regards
-mika-

* Michael Prokop:

The dependency does not come from the main sudo binary but from
/usr/libexec/sudo/python_plugin.so which can be shipped in a separate
package. (I'll need to double-check the source code for any other
changes that might be caused by --enable-python.)

Cheers,
-Hilko

* Hilko Bengen [Tue Jul 13, 2021 at 09:45:47AM +0200]:

Oh right, totally forgot that it's really just about
/usr/libexec/sudo/python_plugin.so and shipping it in a separate
package would be enough. Thanks, Hilko! :)

regards
-mika-

I THINK that we were planning to get rid of sudo-ldap anyway
post-release (see #783889), but I don't remember the state of
discussion.

AUS! Lass das!

;-)

Grüße
Marc

It fizzled out.  To recap:

* One problem is that sudo puts an entry into /etc/nsswitch.conf that
  has no business of being there in the first place since NSS is a
  mechanism for order-invariant entity resolving whereas sudo uses its
  plugins for combined entity resolution and policy rule evaluation
  which is not order-invariant.  Also, despite the manpage for
  nsswitch.conf wrongly claiming the opposite, as far as I can tell
  sudo never uses NSS facilities for its plugins, but instead
  implements its own in plugins/sudoers/sudo_nss.{c,h} which doesn't
  make sense to me.

* Changes to that entry are not preservable across removals/purges
  which violates DPM.

* sudo-ldap should be transformed into a package that only ships the
  plugin.

* Sudo's approach to plugins is unlike anything I've seen.

The goal(s) for bookworm should/could be:

* Copy the entry from /etc/nsswitch.conf to
  e.g. /etc/sudo/plugins.conf and patch sudo to use that and simply
  ignore/warn about the other thereafter.  The points below could be
  left for trixie, but this one is a must since any error here has the
  potential to break libc's NSS for everyone.  No longer having to
  worry about that will make life much easier.

* Try to split the packages sudo and sudo-ldap into sudo, sudo-common
  and sudo-plugin-ldap.  sudo-common must ship the update-sudo-plugins
  script that regenerates /etc/sudo/plugins.conf from whatever
  implements change-preserving configuration of the plugins (note:
  plugin order matters, so that has to be preserved, too; sudo also
  implements a subset of the nsswitch.conf short-circuting behaviour
  which also needs to be covered; some plugins are in mutual conflict,
  e.g. the SSSD and LDAP plugins; no idea how to best express/default
  that (maybe some preference score)).

  Oddities in the architecture of the plugin APIs might make this very
  difficult or even impossible.

  Also, to load a plugin, it has to be configured explicitly in
  /etc/sudo.conf which the user has to do by hand.
  /etc/sudo/plugins.conf only configures which facilities will
  actually be used and in what order.

* Plugin packages then have to call update-sudo-plugins upon
  installation/removal.  During their first installation they should
  infer their configuration state from what's in
  /etc/sudo/plugins.conf already.  sudo-common probably needs to
  provide another helper script for that.

* A problem is that under sudo-ldap the LDAP plugin was always loaded
  because it had the same name as the non-LDAP plugin in the sudo
  package.  Setups which don't have it explicitly enabled in
  /etc/sudo.conf (i.e. essentially all of them) could thus break
  during the migration since the LDAP plugin will be named to
  sudoers_ldap.so afterwards.  IIRC the only way to prevent that is to
  patch sudo to first try loading sudoers_ldap.so before sudoers.so if
  it is installed and issue a warning about this fallback behaviour
  being deprecated.

Additional matters:

* The Python plugin should probably allow referencing the exact Python
  version from the beginning, e.g. sudo-plugin-python3.9.  But since
  it's considered a beta feature this is not urgent.

Regards.

Magst Du das auch mal an #783889 schreiben? Tolle Arbeit, es wäre
ärgerlich wenn das verloren geht.

Grüße
Marc

Hi Mika,

I'd like to give this a shot, at least for experimental. Do you have an
example plugin that I could try and probably even base an autopkgtest
on, maybe with some explanation how I would use it?

Greetings
Marc

* Marc Haber [Mon Jan 31, 2022 at 09:14:07PM +0100]:

Well, there's an example available at
https://www.sudo.ws/posts/2020/01/whats-new-in-sudo-1.9-python/
that should work?

regards
-mika-

Control: tags -1 help
thanks

To be realistic, I won't have time to try this any time soon :-(

Tagging this bug as "help".

Greetings
Marc

Control: tags -1 help
thanks

To be realistic, I won't have time to try this any time soon :-(

Tagging this bug as "help".

Greetings
Marc