Issued:
2014-10-13
Updated:
2014-10-13

RHBA-2014:1484 - sudo bug fix update

Synopsis

sudo bug fix update

Type/Severity

Bug Fix Advisory (none)

Topic

Updated sudo packages that fix several bugs are now available for Red Hat Enterprise Linux 6.

Description

The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.

This update fixes the following bugs:

  • Previously, the sudo utility did not correctly handle the "sudo -ll" command when the System Security Service Daemon (SSSD) was used to get available sudo entries. Consequently, running "sudo -ll" returned incomplete results, as it did not list the rule names of sudo users. A patch has been applied to fix this bug, and "sudo -ll" now lists the rule names as expected when SSSD is used. (BZ#1006447)

  • Prior to this update, sudo did not respond correctly to the root user's request to list the privileges for a specified user when SSSD was used. As a consequence, running the "sudo -l -U" command for a certain user as root returned incomplete results, while running the same command as the user worked as expected. The source code has been updated to fix this problem, and executing "sudo -l -U" as root now returns correct results. (BZ#1006463)

  • Previously, sudo did not correctly handle the situation when the group specification in the /etc/sudoers file contained escape characters on systems integrated with the Active Directory (AD) service. As a consequence, specifying a custom password prompt for a group containing escape characters did not work, as sudo displayed the default password prompt instead when a member of that group used sudo. A patch has been applied to fix this bug, and setting a custom password prompt now works as expected even if the group specification contains escape characters. (BZ#1052940)

  • Previously, the sesh process, when called as "-sesh" by sudo, executed the login shell with an incorrect path name, as it replaced the last slash character in the shell path with a dash while the rest of the path remained unchanged. As a consequence, the login shell was being called as "/bin-[shell]" instead of "-[shell]", which could result in unexpected system behavior. The source code has been updated to fix this bug, and sesh no longer causes this problem. (BZ#1065415)

  • Previously, the pam_faillock module did not acknowledge the attempts to terminate sudo login with the Ctrl+C shortcut after the password prompt showed up. As a consequence, sudo continued to try to log in and eventually locked the user out. The problem has been fixed, and even though an attempt terminated with Ctrl+C still counts as one failed attempt to log in, sudo no longer locks the user out. (BZ#1070952)

  • Previously, sudo did not correctly handle setting the NIS domain name value as "(none)", as it considered the "(none)" text string a valid domain name. Consequently, the getdomainname() function returned "(none)" as the NIS domain name instead of recognizing that no domain name was set. The source code has been updated to fix this problem, and sudo now handles the described situation correctly. (BZ#1078338)

  • Prior to this update, when a sudo rule contained the +netgroup variable in the sudoUser attribute, the system ignored the rest of the sudo rule under certain circumstances. Consequently, executing the "sudo -l" command did not show the complete list of rules configured for the specified user. With this update, the problem has been fixed, and running "sudo -l" now shows the complete list of rules even when a sudo rule contains the +netgroup variable. (BZ#1083064)

Users of sudo are advised to upgrade to these updated packages, which fix these bugs.

Solution

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

Affected Products

ProductVersionArch
Red Hat Enterprise Linux for Scientific Computing6x86_64
Red Hat Enterprise Linux for Power, big endian6ppc64
Red Hat Enterprise Linux for IBM z Systems6s390x
Red Hat Enterprise Linux Workstation6x86_64
Red Hat Enterprise Linux Workstation6i386
Red Hat Enterprise Linux Server6x86_64
Red Hat Enterprise Linux Server6i386
Red Hat Enterprise Linux Server from RHUI6x86_64
Red Hat Enterprise Linux Server from RHUI6i386
Red Hat Enterprise Linux Server - Retired Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6x86_64
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension6i386
Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems)6s390x
Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems)6s390x
Red Hat Enterprise Linux Desktop6x86_64
Red Hat Enterprise Linux Desktop6i386

Updated Packages

  • sudo-debuginfo-1.8.6p3-15.el6.i686.rpm
  • sudo-debuginfo-1.8.6p3-15.el6.s390.rpm
  • sudo-devel-1.8.6p3-15.el6.s390.rpm
  • sudo-debuginfo-1.8.6p3-15.el6.x86_64.rpm
  • sudo-1.8.6p3-15.el6.src.rpm
  • sudo-1.8.6p3-15.el6.i686.rpm
  • sudo-debuginfo-1.8.6p3-15.el6.ppc.rpm
  • sudo-1.8.6p3-15.el6.ppc64.rpm
  • sudo-debuginfo-1.8.6p3-15.el6.ppc64.rpm
  • sudo-devel-1.8.6p3-15.el6.s390x.rpm
  • sudo-1.8.6p3-15.el6.x86_64.rpm
  • sudo-devel-1.8.6p3-15.el6.x86_64.rpm
  • sudo-devel-1.8.6p3-15.el6.ppc.rpm
  • sudo-1.8.6p3-15.el6.s390x.rpm
  • sudo-devel-1.8.6p3-15.el6.ppc64.rpm
  • sudo-devel-1.8.6p3-15.el6.i686.rpm
  • sudo-debuginfo-1.8.6p3-15.el6.s390x.rpm

Fixes

CVEs

(none)

References

(none)

Additional information