RHBA-2014:1484 - Bug Fix Advisory

Topic

Updated sudo packages that fix several bugs are now available for Red Hat
Enterprise Linux 6.

Description

The sudo packages contain the sudo utility which allows system administrators to
provide certain users with the permission to execute privileged commands, which
are used for system management purposes, without having to log in as root.

This update fixes the following bugs:

• Previously, the sudo utility did not correctly handle the "sudo -ll" command

when the System Security Service Daemon (SSSD) was used to get available sudo
entries. Consequently, running "sudo -ll" returned incomplete results, as it did
not list the rule names of sudo users. A patch has been applied to fix this bug,
and "sudo -ll" now lists the rule names as expected when SSSD is used.
(BZ#1006447)

• Prior to this update, sudo did not respond correctly to the root user's

request to list the privileges for a specified user when SSSD was used. As a
consequence, running the "sudo -l -U" command for a certain user as root
returned incomplete results, while running the same command as the user worked
as expected. The source code has been updated to fix this problem, and executing
"sudo -l -U" as root now returns correct results. (BZ#1006463)

• Previously, sudo did not correctly handle the situation when the group

specification in the /etc/sudoers file contained escape characters on systems
integrated with the Active Directory (AD) service. As a consequence, specifying
a custom password prompt for a group containing escape characters did not work,
as sudo displayed the default password prompt instead when a member of that
group used sudo. A patch has been applied to fix this bug, and setting a custom
password prompt now works as expected even if the group specification contains
escape characters. (BZ#1052940)

• Previously, the sesh process, when called as "-sesh" by sudo, executed the

login shell with an incorrect path name, as it replaced the last slash character
in the shell path with a dash while the rest of the path remained unchanged. As
a consequence, the login shell was being called as "/bin-[shell]" instead of
"-[shell]", which could result in unexpected system behavior. The source code
has been updated to fix this bug, and sesh no longer causes this problem.
(BZ#1065415)

• Previously, the pam_faillock module did not acknowledge the attempts to

terminate sudo login with the Ctrl+C shortcut after the password prompt showed
up. As a consequence, sudo continued to try to log in and eventually locked the
user out. The problem has been fixed, and even though an attempt terminated with
Ctrl+C still counts as one failed attempt to log in, sudo no longer locks the
user out. (BZ#1070952)

• Previously, sudo did not correctly handle setting the NIS domain name value as

"(none)", as it considered the "(none)" text string a valid domain name.
Consequently, the getdomainname() function returned "(none)" as the NIS domain
name instead of recognizing that no domain name was set. The source code has
been updated to fix this problem, and sudo now handles the described situation
correctly. (BZ#1078338)

• Prior to this update, when a sudo rule contained the +netgroup variable in the

sudoUser attribute, the system ignored the rest of the sudo rule under certain
circumstances. Consequently, executing the "sudo -l" command did not show the
complete list of rules configured for the specified user. With this update, the
problem has been fixed, and running "sudo -l" now shows the complete list of
rules even when a sudo rule contains the +netgroup variable. (BZ#1083064)

Users of sudo are advised to upgrade to these updated packages, which fix these
bugs.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258

Affected Products

• Red Hat Enterprise Linux Server 6 x86_64
• Red Hat Enterprise Linux Server 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support 6 i386
• Red Hat Enterprise Linux Workstation 6 x86_64
• Red Hat Enterprise Linux Workstation 6 i386
• Red Hat Enterprise Linux Desktop 6 x86_64
• Red Hat Enterprise Linux Desktop 6 i386
• Red Hat Enterprise Linux for IBM z Systems 6 s390x
• Red Hat Enterprise Linux for Power, big endian 6 ppc64
• Red Hat Enterprise Linux for Scientific Computing 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 x86_64
• Red Hat Enterprise Linux Server from RHUI 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support (for IBM z Systems) 6 s390x
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 x86_64
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension 6 i386
• Red Hat Enterprise Linux Server - Extended Life Cycle Support Extension (for IBM z Systems) 6 s390x

Fixes

• BZ - 1006447 - sudo -ll does not list the rule names when sssd is used.
• BZ - 1006463 - sudo -U <user> listing shows incorrect list when sssd is used.

CVEs

(none)

References

(none)