Upgrade breaks sudo file

[sib]

Hi

Everytime when I upgrade NagiosXI it will break my sudoers file. The reason is that nagiosxi puts its rules in /etc/sudoers file although they have been moved to /etc/sudoers.d/nagiosxi
Looking at the upgrade script it will only search /etc/sudoers for the string "NAGIOSXI". But it should also look into /etc/sudoers.d folder.

IMHO it should be placed in /etc/sudoers.d/nagiosxi by default.

best
CHris

[lmiltchev]

The upgrade script adds ONLY the nagiosxi-related entries to the sudoers file. I don't think it modifies the rest of the file.

Code: Select all

# Remove old sudoers entries
grep -v NAGIOSXI /etc/sudoers > /etc/sudoers.new
mv -f /etc/sudoers.new /etc/sudoers
...
# Add new sudoers entries
cat nagiosxi/nagiosxi.sudoers >> /etc/sudoers

The old files in "/etc/sudoers.d/nagiosxi" will be indeed removed prior to adding the new entries.

Code: Select all

# Remove any old /etc/sudoers.d/nagiosxi files
rm -rf /etc/sudoers.d/nagiosxi

[sib]

Yes. But this is the point. It adds rules to /etc/sudoers which will break it if they are already defined somewhere else. It also forces to put the rules in /etc/sudoers instead of leaving/updating them in /etc/sudoers.d/nagiosxi

[lmiltchev]

It adds rules to /etc/sudoers which will break it if they are already defined somewhere else.

If you had these rules defined in "/etc/sudoers.d/nagiosxi", the script wouldn't "break" them. They are simply going to be placed (relocated) in the "/etc/sudoers".
I can see two possible issues here:
1. You had some "custom" entries in the "/etc/sudoers.d/nagiosxi", which will be wiped out but you shouldn't have any "custom" entries there, as this can actually break the Nagios XI's functionality and we want to keep these entries unchanged.
2. You had your nagiosxi rules in a different file, i.e. "/etc/sudoers.d/my_custom_nagiosxi_rules". Again, this is deviating from the "vanilla" setup, so it would not be a supported scenario.

It also forces to put the rules in /etc/sudoers instead of leaving/updating them in /etc/sudoers.d/nagiosxi

Our developers must have a reason for placing these rules in /etc/sudoers instead of /etc/sudoers.d/nagiosxi. In any case, they are added on the bottom of the file and they would not interfere with anything else that you have defined in it. I hope this makes sense.

[lmiltchev]

I just heard back from our developers and here's what they had to say:

The problem come in with older systems where either /etc/sudoers.d isn't available or, they don't have the sudoers.d directive enabled...
Until we deprecate use of CentOS 5 I don't see an easy fix...