RHBA-2013:0112 - Bug Fix Advisory

Topic

Updated sudo packages that fix several bugs and add one enhancement are now
available for Red Hat Enterprise Linux 5.

Description

The sudo (superuser do) utility allows system administrators to give specific
users the ability to run commands as root.

This update fixes the following bugs:

• Previously, sudo escaped non-alphanumeric characters in commands using "sudo
• s" or "sudo -" at the wrong place and interfered with the authorization

process. Some valid commands were not permitted. Now, non-alphanumeric
characters are escaped immediately before the command is executed and no longer
interfere with the authorization process. (BZ#806073)

• Prior to this update, the sudo utility could fail to receive the SIGCHLD

signal when it was executed from a process that blocked the SIGCHLD signal. As a
consequence, sudo could become suspended and fail to exit. This update modifies
the signal process mask so that sudo can exit and sends the correct output.
(BZ#814508)

• The sudo update RHSA-2012:0309 introduced a regression that caused the SELinux

context of the /etc/nsswitch.conf file to change during installation or upgrade
of the sudo package. This could cause that various services confined by SELinux
were no longer permitted to access the file. In reported cases, this issue
prevented PostgreSQL and Postfix from starting. (BZ#818585)

• Prior to this update, a race condition bug existed in sudo. When a program was

executed with sudo, it could exit successfully before sudo started waiting for
it. In this situation, the program became a defunct process and sudo waited for
it endlessly as it expected the program was still running. (BZ#829263)

• The sudo update RHSA-2012:0309 changed the behavior of sudo; it now runs

commands as a child process instead of executing them directly and replacing the
running process. This change could cause errors in some external scripts. A new
cmnd_no_wait configuration option was added to restore the old behavior. To
apply this option, add the following line to the /etc/sudoers file:

Defaults cmnd_no_wait

(BZ#840971)

• Updating the sudo package resulted in the "sudoers" line in /etc/nsswitch.conf

being removed. This update corrects the bug in the sudo package's post-uninstall
script that caused this issue. (BZ#841070)

• The RHSA-2012:1149 sudo security update introduced a regression that caused

the permissions of the /etc/nsswitch.conf file to change during the installation
or upgrade of the sudo package. This could cause various services to be unable
to access the file. In reported cases, this bug prevented PostgreSQL from
starting. This update fixes the bug and the file's permissions are no longer
changed in the described scenario. (BZ#846631)

• The policycoreutils package dependency, which includes the restorecon utility,

was set to Requires only. Consequently, the installation proceeded in the
incorrect order and restorecon was required before it was installed. This bug
has been fixed by using a context marked dependency "Requires(post)" and
"Requires(postun)", and the installation now proceeds correctly. (BZ#846694)

Also, this update adds the following enhancement:

• The sudo utility is able to consult the /etc/nsswitch.conf file for sudoers

entries and look them up in files or in LDAP. Previously, when a match was found
in the first database of sudoers entries, the look-up operation still continued
in other databases. This update adds an option to the /etc/nsswitch.conf file
that allows specifying a database. Once a match was found in the specified
database, the search is finished. This eliminates the need to query any other
databases; thus, improving the performance of sudoers entry look ups in large
environments. This behavior is not enabled by default and must be configured by
adding the "[SUCCESS=return]" string after a selected database. When a match is
found in a database that directly precedes this string, no other databases are
queried. (BZ#840097)

All users of sudo are advised to upgrade to these updated packages, which fix
these bugs and add this enhancement.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 5 x86_64
• Red Hat Enterprise Linux Server 5 ia64
• Red Hat Enterprise Linux Server 5 i386
• Red Hat Enterprise Linux Workstation 5 x86_64
• Red Hat Enterprise Linux Workstation 5 i386
• Red Hat Enterprise Linux Desktop 5 x86_64
• Red Hat Enterprise Linux Desktop 5 i386
• Red Hat Enterprise Linux for IBM z Systems 5 s390x
• Red Hat Enterprise Linux for Power, big endian 5 ppc
• Red Hat Enterprise Linux Server from RHUI 5 x86_64
• Red Hat Enterprise Linux Server from RHUI 5 i386

Fixes

• BZ - 818585 - selinux blocks postgresql startup
• BZ - 829263 - Sudo has racecondition leaving sudo with its zombie child running forever
• BZ - 841070 - sudo 1.7.2p1-14.el5_8 removed sudoers line from nsswitch.conf
• BZ - 846631 - Postgresql fail to start on RHEL 5.8

CVEs

(none)

References

(none)