- Issued:
- 2013-01-07
- Updated:
- 2013-01-07
RHBA-2013:0112 - sudo bug fix and enhancement update
Synopsis
sudo bug fix and enhancement update
Type/Severity
Bug Fix Advisory
Topic
Updated sudo packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
Description
The sudo (superuser do) utility allows system administrators to give specific users the ability to run commands as root.
This update fixes the following bugs:
-
Previously, sudo escaped non-alphanumeric characters in commands using "sudo -s" or "sudo -" at the wrong place and interfered with the authorization process. Some valid commands were not permitted. Now, non-alphanumeric characters are escaped immediately before the command is executed and no longer interfere with the authorization process. (BZ#806073)
-
Prior to this update, the sudo utility could fail to receive the SIGCHLD signal when it was executed from a process that blocked the SIGCHLD signal. As a consequence, sudo could become suspended and fail to exit. This update modifies the signal process mask so that sudo can exit and sends the correct output. (BZ#814508)
-
The sudo update RHSA-2012:0309 introduced a regression that caused the SELinux context of the /etc/nsswitch.conf file to change during installation or upgrade of the sudo package. This could cause that various services confined by SELinux were no longer permitted to access the file. In reported cases, this issue prevented PostgreSQL and Postfix from starting. (BZ#818585)
-
Prior to this update, a race condition bug existed in sudo. When a program was executed with sudo, it could exit successfully before sudo started waiting for it. In this situation, the program became a defunct process and sudo waited for it endlessly as it expected the program was still running. (BZ#829263)
-
The sudo update RHSA-2012:0309 changed the behavior of sudo; it now runs commands as a child process instead of executing them directly and replacing the running process. This change could cause errors in some external scripts. A new cmnd_no_wait configuration option was added to restore the old behavior. To apply this option, add the following line to the /etc/sudoers file:
Defaults cmnd_no_wait
(BZ#840971)
-
Updating the sudo package resulted in the "sudoers" line in /etc/nsswitch.conf being removed. This update corrects the bug in the sudo package's post-uninstall script that caused this issue. (BZ#841070)
-
The RHSA-2012:1149 sudo security update introduced a regression that caused the permissions of the /etc/nsswitch.conf file to change during the installation or upgrade of the sudo package. This could cause various services to be unable to access the file. In reported cases, this bug prevented PostgreSQL from starting. This update fixes the bug and the file's permissions are no longer changed in the described scenario. (BZ#846631)
-
The policycoreutils package dependency, which includes the restorecon utility, was set to Requires only. Consequently, the installation proceeded in the incorrect order and restorecon was required before it was installed. This bug has been fixed by using a context marked dependency "Requires(post)" and "Requires(postun)", and the installation now proceeds correctly. (BZ#846694)
Also, this update adds the following enhancement:
- The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and look them up in files or in LDAP. Previously, when a match was found in the first database of sudoers entries, the look-up operation still continued in other databases. This update adds an option to the /etc/nsswitch.conf file that allows specifying a database. Once a match was found in the specified database, the search is finished. This eliminates the need to query any other databases; thus, improving the performance of sudoers entry look ups in large environments. This behavior is not enabled by default and must be configured by adding the "[SUCCESS=return]" string after a selected database. When a match is found in a database that directly precedes this string, no other databases are queried. (BZ#840097)
All users of sudo are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.
Solution
Before applying this update, make sure all previously-released errata relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/knowledge/articles/11258
Affected Products
| Product | Version | Arch |
|---|---|---|
| Red Hat Enterprise Linux for Power, big endian | 5 | ppc |
| Red Hat Enterprise Linux for IBM z Systems | 5 | s390x |
| Red Hat Enterprise Linux Workstation | 5 | x86_64 |
| Red Hat Enterprise Linux Workstation | 5 | i386 |
| Red Hat Enterprise Linux Server | 5 | x86_64 |
| Red Hat Enterprise Linux Server | 5 | ia64 |
| Red Hat Enterprise Linux Server | 5 | i386 |
| Red Hat Enterprise Linux Server from RHUI | 5 | x86_64 |
| Red Hat Enterprise Linux Server from RHUI | 5 | i386 |
| Red Hat Enterprise Linux Desktop | 5 | x86_64 |
| Red Hat Enterprise Linux Desktop | 5 | i386 |
Updated Packages
- sudo-1.7.2p1-22.el5.src.rpm
- sudo-debuginfo-1.7.2p1-22.el5.ppc.rpm
- sudo-1.7.2p1-22.el5.x86_64.rpm
- sudo-debuginfo-1.7.2p1-22.el5.x86_64.rpm
- sudo-1.7.2p1-22.el5.i386.rpm
- sudo-debuginfo-1.7.2p1-22.el5.s390x.rpm
- sudo-1.7.2p1-22.el5.ppc.rpm
- sudo-debuginfo-1.7.2p1-22.el5.i386.rpm
- sudo-1.7.2p1-22.el5.s390x.rpm
- sudo-debuginfo-1.7.2p1-22.el5.ia64.rpm
- sudo-1.7.2p1-22.el5.ia64.rpm
Fixes
- This content is not included.BZ - 818585
- This content is not included.BZ - 829263
- This content is not included.BZ - 841070
- This content is not included.BZ - 846631
CVEs
(none)
References
(none)
Additional information
- The Red Hat security contact is This content is not included.secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.
- Offline Security Data data is available for integration with other systems. See Offline Security Data API to get started.