Red Hat Training

A Red Hat training course is available for Red Hat Enterprise Linux

4.173. sudo

Updated sudo packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.

Bug Fix

BZ#846974
The RHSA-2012:1149 sudo security update introduced a regression that caused the permissions of the /etc/nsswitch.conf file to change during the installation or upgrade of the sudo package. This could cause various services to be unable to access the file. In reported cases, this bug prevented PostgreSQL from starting. This update fixes the bug and the file's permissions are no longer changed in the described scenario.
All users of sudo are advised to upgrade to these updated packages, which fix this bug.
Updated sudo packages that fix one bug are now available for Red Hat Enterprise Linux 5.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.

Bug Fix

BZ#854513
Due to an previous enhancement update, the sudo behavior changed to run a command as a new child process using the fork() and execve() functions, rather than using execve() directly and replace the sudo process. This change in behavior caused various problems with custom scripts. This update adds a new option to restore the old behavior. This option can be activated by adding "Defaults cmnd_no_wait" to the /etc/sudoers file, which fixes this bug.
All users of sudo are advised to upgrade to these updated packages, which fix this bug.
Updated sudo packages that fix several bugs and add one enhancement are now available for Red Hat Enterprise Linux 5.
The sudo (superuser do) utility allows system administrators to give specific users the ability to run commands as root.

Bug Fixes

BZ#806073
Previously, sudo escaped non-alphanumeric characters in commands using "sudo -s" or "sudo -" at the wrong place and interfered with the authorization process. Some valid commands were not permitted. Now, non-alphanumeric characters are escaped immediately before the command is executed and no longer interfere with the authorization process.
BZ#814508
Prior to this update, the sudo utility could fail to receive the SIGCHLD signal when it was executed from a process that blocked the SIGCHLD signal. As a consequence, sudo could become suspended and fail to exit. This update modifies the signal process mask so that sudo can exit and sends the correct output.
BZ#818585
The sudo update RHSA-2012:0309 introduced a regression that caused the SELinux context of the /etc/nsswitch.conf file to change during installation or upgrade of the sudo package. This could cause that various services confined by SELinux were no longer permitted to access the file. In reported cases, this issue prevented PostgreSQL and Postfix from starting.
BZ#829263
Prior to this update, a race condition bug existed in sudo. When a program was executed with sudo, it could exit successfully before sudo started waiting for it. In this situation, the program became a defunct process and sudo waited for it endlessly as it expected the program was still running.
BZ#840971
The sudo update RHSA-2012:0309 changed the behavior of sudo; it now runs commands as a child process instead of executing them directly and replacing the running process. This change could cause errors in some external scripts. A new cmnd_no_wait configuration option was added to restore the old behavior. To apply this option, add the following line to the /etc/sudoers file:
        Defaults cmnd_no_wait
BZ#841070
Updating the sudo package resulted in the "sudoers" line in /etc/nsswitch.conf being removed. This update corrects the bug in the sudo package's post-uninstall script that caused this issue.
BZ#846631
The RHSA-2012:1149 sudo security update introduced a regression that caused the permissions of the /etc/nsswitch.conf file to change during the installation or upgrade of the sudo package. This could cause various services to be unable to access the file. In reported cases, this bug prevented PostgreSQL from starting. This update fixes the bug and the file's permissions are no longer changed in the described scenario.
BZ#846694
The policycoreutils package dependency, which includes the restorecon utility, was set to Requires only. Consequently, the installation proceeded in the incorrect order and restorecon was required before it was installed. This bug has been fixed by using a context marked dependency "Requires(post)" and "Requires(postun)", and the installation now proceeds correctly.

Enhancement

BZ#840097
The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and look them up in files or in LDAP. Previously, when a match was found in the first database of sudoers entries, the look-up operation still continued in other databases. This update adds an option to the /etc/nsswitch.conf file that allows specifying a database. Once a match was found in the specified database, the search is finished. This eliminates the need to query any other databases; thus, improving the performance of sudoers entry look ups in large environments. This behavior is not enabled by default and must be configured by adding the "[SUCCESS=return]" string after a selected database. When a match is found in a database that directly precedes this string, no other databases are queried.
All users of sudo are advised to upgrade to these updated packages, which fix these bugs and add this enhancement.
An updated sudo package that fixes one security issue and several bugs is now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.

Security Fix

CVE-2012-3440
An insecure temporary file use flaw was found in the sudo package's post-uninstall script. A local attacker could possibly use this flaw to overwrite an arbitrary file via a symbolic link attack, or modify the contents of the "/etc/nsswitch.conf" file during the upgrade or removal of the sudo package.

Bug Fixes

BZ#844418
Previously, sudo escaped non-alphanumeric characters in commands using "sudo -s" or "sudo -" at the wrong place and interfered with the authorization process. Some valid commands were not permitted. Now, non-alphanumeric characters escape immediately before the command is executed and no longer interfere with the authorization process.
BZ#844419
Prior to this update, the sudo utility could, under certain circumstances, fail to receive the SIGCHLD signal when it was executed from a process that blocked the SIGCHLD signal. As a consequence, sudo could become suspended and fail to exit. This update modifies the signal process mask so that sudo can exit and sends the correct output.
BZ#842759
The sudo update RHSA-2012:0309 introduced a regression that caused the Security-Enhanced Linux (SELinux) context of the "/etc/nsswitch.conf" file to change during the installation or upgrade of the sudo package. This could cause various services confined by SELinux to no longer be permitted to access the file. In reported cases, this issue prevented PostgreSQL and Postfix from starting.
BZ#844420
Updating the sudo package resulted in the "sudoers" line in "/etc/nsswitch.conf" being removed. This update corrects the bug in the sudo package's post-uninstall script that caused this issue.
BZ#844978
Prior to this update, a race condition bug existed in sudo. When a program was executed with sudo, the program could possibly exit successfully before sudo started waiting for it. In this situation, the program would be left in a zombie state and sudo would wait for it endlessly, expecting it to still be running.
All users of sudo are advised to upgrade to this updated package, which contains backported patches to correct these issues.
An updated sudo package that fixes one security issue is now available for Red Hat Enterprise Linux 5 and 6.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) associated with each description below.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.

Security Fix

CVE-2012-2337
A flaw was found in the way the network matching code in sudo handled multiple IP networks listed in user specification configuration directives. A user, who is authorized to run commands with sudo on specific hosts, could use this flaw to bypass intended restrictions and run those commands on hosts not matched by any of the network specifications.
All users of sudo are advised to upgrade to this updated package, which contains a backported patch to correct this issue.