When upgrading Alam linux sudoers configuration was destroyed

Hello all,

I have Alam in AWS, and have a crontab to upgrade the server periodically. But the last upgrade to Alma 9.5 had deleted all the files in the /etc/sudoers.d/ and reseted the /etc/sudoers file.

Now I do not mind reapplying the scripts, but how to prevent this behaviour in the future as leaves my system vunrable, as permits to too many users the access to sudo command.

cat /etc/os-release
NAME=“AlmaLinux”
VERSION=“9.5 (Teal Serval)”
ID=“almalinux”
ID_LIKE=“rhel centos fedora”
VERSION_ID=“9.5”
PLATFORM_ID=“platform:el9”
PRETTY_NAME=“AlmaLinux 9.5 (Teal Serval)”
ANSI_COLOR=“0;34”
LOGO=“fedora-logo-icon”

ALMALINUX_MANTISBT_PROJECT=“AlmaLinux-9”
ALMALINUX_MANTISBT_PROJECT_VERSION=“9.5”
REDHAT_SUPPORT_PRODUCT=“AlmaLinux”
REDHAT_SUPPORT_PRODUCT_VERSION=“9.5”
SUPPORT_END=2032-06-01

Thank you and best regards
Tomislav

Have updated 100+ servers from 9.4 to 9.5 and put configurations in /etc/sudoers.d/ and on no servers those files has been wiped. You should roll back to the snapshot/backup before the upgrade and run it manually and see of you can find out what is happening. Feels very unlikely that a new version of a package would remove files in /etc/sudoers.d/.

Looking on the packages upgraded when going from 9.4 to 9.5, sudo is not even upgraded. 9.4 uses sudo-1.9.5p2-10.el9_3.x86_64 and so does 9.5.

There are at most two files in that directory claimed by packages in Alma and EPEL:

# dnf -q provides /etc/sudoers.d/\*
lpf-0.3-4.el9.noarch : Local package factory - build non-redistributable rpms
Repo        : epel
Matched from:
Filename    : /etc/sudoers.d/pkg-build

x2goserver-4.1.0.3-17.el9.x86_64 : X2Go Server
Repo        : epel
Matched from:
Filename    : /etc/sudoers.d/x2goserver

The package manager should not touch any files that are not from packages.
Also, config files that are from packages and have been modified, are saved.


The default sudoers rules:

# grep -B1 "^[^#]" /etc/sudoers
#
Defaults   !visiblepw
--
#
Defaults    always_set_home
Defaults    match_group_by_gid
--
# Disable this option for new behavior.
Defaults    always_query_group_plugin

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
--

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
--
## Allow root to run any commands anywhere 
root	ALL=(ALL) 	ALL
--
## Allows people in group wheel to run all commands
%wheel	ALL=(ALL)	ALL

Allow sudo only for root and members of group wheel.

Do you have many accounts as members of wheel?