RHBA-2010:0212 - Bug Fix Advisory

Topic

An updated sudo package that fixes various bugs is now available.

Description

The sudo (super user do) utility allows system administrators to give
certain users the ability to run commands as root with logging.

This update addresses the following issues:

• if runas_default=[value] was set in the sudoers file, running a command

such as "sudo -i" returned a collection of system groups rather than
switching the current user to the user specified by the runas_default
parameter. This has been corrected with this update: setting the
runas_default parameter in the sudoers file now works as expected.
(BZ#497873)

• the /etc/sudoers configuration file supports expressing ranges such as

"[A-Z]" and "[a-z]" when delineating permissions on files. However, the
range "[A-z]" (uppercase 'A' to lowercase 'z') was not equivalent to
"[A-Za-z]" in certain locales, such as those using the UTF-8 character
encoding. With this update, the range "[A-z]" can be used in the sudoers
file to restrict access to files with names that use only basic Latin
alphabetical characters. (BZ#512191)

• the variable used for iterating wildcards (such as * and !) was being

freed incorrectly. As a consequence, situations where a single file with a
long file name was the only wildcard match would result in an error,
restricting access. The sudo utility now correctly frees the glob iterator,
and long file names work as expected with wildcard characters. (BZ#521778)

• visudo is a tool for editing the sudoers file that locks against

simultaneous editing and provides other error checking. The visudo tool did
not support unused aliases, and as a result any unused aliases in the
sudoers file would cause visudo to fail with an error. The visudo tool has
been updated to handle unused aliases, and now no longer fails when
encountering them in the sudoers file. (BZ#550326)

• user names that are identical to process UIDs (unique identifiers), such

as 'proxy', are allowable. Previously, sudo erroneously rejected commands
such as 'sudo su - proxy', interpreting the user name as the process UID,
resulting in these super users being unable to authenticate. The sudo
utility now differentiates between user names and process UIDs, and users
authenticate as expected. (BZ#500942)

• the requiretty option requires a user to use only a real terminal (TTY).

When sudo was used over LDAP (Lightweight Directory Access Protocol), the
!requiretty (TTY not required) option was incorrectly interpreted, and
access was not granted to users from non-TTY connections. The sudo utility
now correctly sets the !requiretty option for LDAP users, and they can
connect normally. (BZ#521903)

• the #includedir directive includes the contents of external directories

in the current file. The directive was not supported in the sudoers file
and sudo utility, and as a result external settings files could not be
included. The sudo utility now supports the #includedir directory, and
external settings files can be used in the sudoers file. (BZ#538700)

• a bug in the realloc() function caused sudo to crash with a segfault when

using a sudoers file with a deep #include structure. This update corrects
this. Note: the hard limit of 128 nested include files (enforced to prevent
#include file loops) remains. (BZ#561336)

All users of sudo are advised to upgrade to this updated package, which
resolves these issues.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 497873 - sudo gives bogus group membership if runas_default=xxx is used
• BZ - 512191 - unable to use globs to restrict arguements
• BZ - 521778 - sudo wildcard issue with long file names
• BZ - 550326 - shipped /etc/sudoers has "unused Cmnd_Alias DELEGATING"
• BZ - 561336 - segfault when #include directive is used in cycles

CVEs

(none)

References

(none)