4.173. sudo

BZ#846974

The RHSA-2012:1149 sudo security update introduced a regression that caused the permissions of the /etc/nsswitch.conf file to change during the installation or upgrade of the sudo package. This could cause various services to be unable to access the file. In reported cases, this bug prevented PostgreSQL from starting. This update fixes the bug and the file's permissions are no longer changed in the described scenario.

BZ#854513

Due to an previous enhancement update, the sudo behavior changed to run a command as a new child process using the fork() and execve() functions, rather than using execve() directly and replace the sudo process. This change in behavior caused various problems with custom scripts. This update adds a new option to restore the old behavior. This option can be activated by adding "Defaults cmnd_no_wait" to the /etc/sudoers file, which fixes this bug.

Bug Fixes

BZ#806073

Previously, sudo escaped non-alphanumeric characters in commands using "sudo -s" or "sudo -" at the wrong place and interfered with the authorization process. Some valid commands were not permitted. Now, non-alphanumeric characters are escaped immediately before the command is executed and no longer interfere with the authorization process.

BZ#814508

Prior to this update, the sudo utility could fail to receive the SIGCHLD signal when it was executed from a process that blocked the SIGCHLD signal. As a consequence, sudo could become suspended and fail to exit. This update modifies the signal process mask so that sudo can exit and sends the correct output.

BZ#818585

The sudo update RHSA-2012:0309 introduced a regression that caused the SELinux context of the /etc/nsswitch.conf file to change during installation or upgrade of the sudo package. This could cause that various services confined by SELinux were no longer permitted to access the file. In reported cases, this issue prevented PostgreSQL and Postfix from starting.

BZ#829263

Prior to this update, a race condition bug existed in sudo. When a program was executed with sudo, it could exit successfully before sudo started waiting for it. In this situation, the program became a defunct process and sudo waited for it endlessly as it expected the program was still running.

BZ#840971

The sudo update RHSA-2012:0309 changed the behavior of sudo; it now runs commands as a child process instead of executing them directly and replacing the running process. This change could cause errors in some external scripts. A new cmnd_no_wait configuration option was added to restore the old behavior. To apply this option, add the following line to the /etc/sudoers file:

        Defaults cmnd_no_wait

BZ#841070

Updating the sudo package resulted in the "sudoers" line in /etc/nsswitch.conf being removed. This update corrects the bug in the sudo package's post-uninstall script that caused this issue.

BZ#846631

The RHSA-2012:1149 sudo security update introduced a regression that caused the permissions of the /etc/nsswitch.conf file to change during the installation or upgrade of the sudo package. This could cause various services to be unable to access the file. In reported cases, this bug prevented PostgreSQL from starting. This update fixes the bug and the file's permissions are no longer changed in the described scenario.

BZ#846694

The policycoreutils package dependency, which includes the restorecon utility, was set to Requires only. Consequently, the installation proceeded in the incorrect order and restorecon was required before it was installed. This bug has been fixed by using a context marked dependency "Requires(post)" and "Requires(postun)", and the installation now proceeds correctly.

Enhancement

BZ#840097

The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers entries and look them up in files or in LDAP. Previously, when a match was found in the first database of sudoers entries, the look-up operation still continued in other databases. This update adds an option to the /etc/nsswitch.conf file that allows specifying a database. Once a match was found in the specified database, the search is finished. This eliminates the need to query any other databases; thus, improving the performance of sudoers entry look ups in large environments. This behavior is not enabled by default and must be configured by adding the "[SUCCESS=return]" string after a selected database. When a match is found in a database that directly precedes this string, no other databases are queried.

Security Fix

CVE-2012-3440

An insecure temporary file use flaw was found in the sudo package's post-uninstall script. A local attacker could possibly use this flaw to overwrite an arbitrary file via a symbolic link attack, or modify the contents of the "/etc/nsswitch.conf" file during the upgrade or removal of the sudo package.

BZ#844418

Previously, sudo escaped non-alphanumeric characters in commands using "sudo -s" or "sudo -" at the wrong place and interfered with the authorization process. Some valid commands were not permitted. Now, non-alphanumeric characters escape immediately before the command is executed and no longer interfere with the authorization process.

BZ#844419

Prior to this update, the sudo utility could, under certain circumstances, fail to receive the SIGCHLD signal when it was executed from a process that blocked the SIGCHLD signal. As a consequence, sudo could become suspended and fail to exit. This update modifies the signal process mask so that sudo can exit and sends the correct output.

BZ#842759

The sudo update RHSA-2012:0309 introduced a regression that caused the Security-Enhanced Linux (SELinux) context of the "/etc/nsswitch.conf" file to change during the installation or upgrade of the sudo package. This could cause various services confined by SELinux to no longer be permitted to access the file. In reported cases, this issue prevented PostgreSQL and Postfix from starting.

BZ#844420

Updating the sudo package resulted in the "sudoers" line in "/etc/nsswitch.conf" being removed. This update corrects the bug in the sudo package's post-uninstall script that caused this issue.

BZ#844978

Prior to this update, a race condition bug existed in sudo. When a program was executed with sudo, the program could possibly exit successfully before sudo started waiting for it. In this situation, the program would be left in a zombie state and sudo would wait for it endlessly, expecting it to still be running.

Security Fix

CVE-2012-2337

A flaw was found in the way the network matching code in sudo handled multiple IP networks listed in user specification configuration directives. A user, who is authorized to run commands with sudo on specific hosts, could use this flaw to bypass intended restrictions and run those commands on hosts not matched by any of the network specifications.