Last modified: 2014-03-17 21:49:52 UTC
Those seem to have been created April 2013 and earlier; they should be removed as to not confuse the upcoming tool usernames change.
Deleted /data/project/.system/sudoers; all entries also in LDAP.
... and /etc/sudoers.d/tools-{dev,login} (configuration for the above to work on the respective hosts) as well.
(In reply to comment #1) > Deleted /data/project/.system/sudoers; all entries also in LDAP. Yes, but only as rules for the new service group system; no old ones, and so broke "become" for the affected tools. I'll diff [[wikitech:Special:NovaServiceGroup]] and [[wikitech:Special:NovaSudoer]] to create a list of affected tools, deploy a hot fix to /etc/sudoers.d and submit a change to Puppet.
List of affected tools: - afcbot - anagrimes - csbot - daahbot - ftl - legobot - matilda - wiktioutils
/etc/sudoers.d/tools-ldap-fix deployed to all Tools nodes.
Change 112666 had a related patch set uploaded by Tim Landscheidt: Tools: Work around missing LDAP sudo rules https://gerrit.wikimedia.org/r/112666
Change 112666 abandoned by Tim Landscheidt: Tools: Work around missing LDAP sudo rules Reason: In eqiad no longer necessary. https://gerrit.wikimedia.org/r/112666