security: Fix issue with Plinth locked out from sudo

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org> Reviewed-by: Joseph Nuthalapati <njoseph@thoughtworks.com>
2026-01-21 07:55:00 +00:00 · 2018-05-08 10:00:35 +05:30 · 2018-05-08 10:00:35 +05:30 · daeec0528b
commit daeec0528b
parent fded8e57ec
2 changed files with 12 additions and 2 deletions
--- a/debian/postinst
+++ b/debian/postinst
@ -5,6 +5,12 @@ set -e
 daemonuser=plinth
 daemongroup=plinth

+# Due to a change in sudo, now it runs PAM modules even on password-less
+# invocations. This leads to plinth not being able to run root privileges. This
+# is because of our own restrictions in /etc/security/access.conf. Since Plinth
+# is locked out after upgrade, we need to do this in postinst.
+sed -ie 's+-:ALL EXCEPT root fbx (admin) (sudo):ALL+-:ALL EXCEPT root fbx plinth (admin) (sudo):ALL+' /etc/security/access.conf
+
 case "$1" in
 configure)
 	addgroup --system --quiet plinth
--- a/plinth/modules/security/init.py
+++ b/plinth/modules/security/init.py
@ -23,7 +23,7 @@ from django.utils.translation import ugettext_lazy as _
 from plinth import actions
 from plinth.menu import main_menu

-version = 3
+version = 4

 is_essential = True

@ -50,7 +50,11 @@ def init():
 def setup(helper, old_version=None):
    """Install the required packages"""
    helper.install(managed_packages)
-    setup_fail2ban()
+    if not old_version:
+        setup_fail2ban()
+
+    if get_restricted_access_enabled():
+        set_restricted_access(True)


 def setup_fail2ban():