- Issued:
- 2010-03-30
- Updated:
- 2010-03-30
RHBA-2010:0212 - Bug Fix Advisory
Synopsis
sudo bug fix update
Type/Severity
Bug Fix Advisory
Red Hat Insights patch analysis
Identify and remediate systems affected by this advisory.
Topic
An updated sudo package that fixes various bugs is now available.
Description
The sudo (super user do) utility allows system administrators to give
certain users the ability to run commands as root with logging.
This update addresses the following issues:
- if runas_default=[value] was set in the sudoers file, running a command
such as "sudo -i" returned a collection of system groups rather than
switching the current user to the user specified by the runas_default
parameter. This has been corrected with this update: setting the
runas_default parameter in the sudoers file now works as expected.
(BZ#497873)
- the /etc/sudoers configuration file supports expressing ranges such as
"[A-Z]" and "[a-z]" when delineating permissions on files. However, the
range "[A-z]" (uppercase 'A' to lowercase 'z') was not equivalent to
"[A-Za-z]" in certain locales, such as those using the UTF-8 character
encoding. With this update, the range "[A-z]" can be used in the sudoers
file to restrict access to files with names that use only basic Latin
alphabetical characters. (BZ#512191)
- the variable used for iterating wildcards (such as * and !) was being
freed incorrectly. As a consequence, situations where a single file with a
long file name was the only wildcard match would result in an error,
restricting access. The sudo utility now correctly frees the glob iterator,
and long file names work as expected with wildcard characters. (BZ#521778)
- visudo is a tool for editing the sudoers file that locks against
simultaneous editing and provides other error checking. The visudo tool did
not support unused aliases, and as a result any unused aliases in the
sudoers file would cause visudo to fail with an error. The visudo tool has
been updated to handle unused aliases, and now no longer fails when
encountering them in the sudoers file. (BZ#550326)
- user names that are identical to process UIDs (unique identifiers), such
as 'proxy', are allowable. Previously, sudo erroneously rejected commands
such as 'sudo su - proxy', interpreting the user name as the process UID,
resulting in these super users being unable to authenticate. The sudo
utility now differentiates between user names and process UIDs, and users
authenticate as expected. (BZ#500942)
- the requiretty option requires a user to use only a real terminal (TTY).
When sudo was used over LDAP (Lightweight Directory Access Protocol), the
!requiretty (TTY not required) option was incorrectly interpreted, and
access was not granted to users from non-TTY connections. The sudo utility
now correctly sets the !requiretty option for LDAP users, and they can
connect normally. (BZ#521903)
- the #includedir directive includes the contents of external directories
in the current file. The directive was not supported in the sudoers file
and sudo utility, and as a result external settings files could not be
included. The sudo utility now supports the #includedir directory, and
external settings files can be used in the sudoers file. (BZ#538700)
- a bug in the realloc() function caused sudo to crash with a segfault when
using a sudoers file with a deep #include structure. This update corrects
this. Note: the hard limit of 128 nested include files (enforced to prevent
#include file loops) remains. (BZ#561336)
All users of sudo are advised to upgrade to this updated package, which
resolves these issues.
Solution
Before applying this update, make sure all previously-released errata
relevant to your system have been applied.
This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259
Affected Products
- Red Hat Enterprise Linux Server 5 x86_64
- Red Hat Enterprise Linux Server 5 ia64
- Red Hat Enterprise Linux Server 5 i386
- Red Hat Enterprise Linux Workstation 5 x86_64
- Red Hat Enterprise Linux Workstation 5 i386
- Red Hat Enterprise Linux Desktop 5 x86_64
- Red Hat Enterprise Linux Desktop 5 i386
- Red Hat Enterprise Linux for IBM z Systems 5 s390x
- Red Hat Enterprise Linux for Power, big endian 5 ppc
- Red Hat Enterprise Linux Server from RHUI 5 x86_64
- Red Hat Enterprise Linux Server from RHUI 5 i386
Fixes
- BZ - 497873 - sudo gives bogus group membership if runas_default=xxx is used
- BZ - 512191 - unable to use globs to restrict arguements
- BZ - 521778 - sudo wildcard issue with long file names
- BZ - 550326 - shipped /etc/sudoers has "unused Cmnd_Alias DELEGATING"
- BZ - 561336 - segfault when #include directive is used in cycles
CVEs
(none)
References
(none)
Red Hat Enterprise Linux Server 5
SRPM | |
---|---|
sudo-1.7.2p1-5.el5.src.rpm | SHA-256: f5e4e3a50ed5ea1e4c946f643bdb69767e2cd7a84c598ffe63c5bf45d88862c2 |
x86_64 | |
sudo-1.7.2p1-5.el5.x86_64.rpm | SHA-256: 50b47d6c38b1f33ab1f5a2b8bac6f8e67148b78e93ec549862f1b5d91265d8b9 |
ia64 | |
sudo-1.7.2p1-5.el5.ia64.rpm | SHA-256: 8d0e49366f45f8696e6ea2c12e6ce0cb85795c9bf45ea66e95832574fc66da52 |
i386 | |
sudo-1.7.2p1-5.el5.i386.rpm | SHA-256: a2c0dfc1e4a776141b42cf929ab99e2472b81ad5ef52f1f9691e4b1243f2e1a7 |
Red Hat Enterprise Linux Workstation 5
SRPM | |
---|---|
sudo-1.7.2p1-5.el5.src.rpm | SHA-256: f5e4e3a50ed5ea1e4c946f643bdb69767e2cd7a84c598ffe63c5bf45d88862c2 |
x86_64 | |
sudo-1.7.2p1-5.el5.x86_64.rpm | SHA-256: 50b47d6c38b1f33ab1f5a2b8bac6f8e67148b78e93ec549862f1b5d91265d8b9 |
i386 | |
sudo-1.7.2p1-5.el5.i386.rpm | SHA-256: a2c0dfc1e4a776141b42cf929ab99e2472b81ad5ef52f1f9691e4b1243f2e1a7 |
Red Hat Enterprise Linux Desktop 5
SRPM | |
---|---|
sudo-1.7.2p1-5.el5.src.rpm | SHA-256: f5e4e3a50ed5ea1e4c946f643bdb69767e2cd7a84c598ffe63c5bf45d88862c2 |
x86_64 | |
sudo-1.7.2p1-5.el5.x86_64.rpm | SHA-256: 50b47d6c38b1f33ab1f5a2b8bac6f8e67148b78e93ec549862f1b5d91265d8b9 |
i386 | |
sudo-1.7.2p1-5.el5.i386.rpm | SHA-256: a2c0dfc1e4a776141b42cf929ab99e2472b81ad5ef52f1f9691e4b1243f2e1a7 |
Red Hat Enterprise Linux for IBM z Systems 5
SRPM | |
---|---|
sudo-1.7.2p1-5.el5.src.rpm | SHA-256: f5e4e3a50ed5ea1e4c946f643bdb69767e2cd7a84c598ffe63c5bf45d88862c2 |
s390x | |
sudo-1.7.2p1-5.el5.s390x.rpm | SHA-256: ad55ac34fc6119ac9b8ab0404213aac6b89813250ad888a43b11c4d4b3674c6c |
Red Hat Enterprise Linux for Power, big endian 5
SRPM | |
---|---|
sudo-1.7.2p1-5.el5.src.rpm | SHA-256: f5e4e3a50ed5ea1e4c946f643bdb69767e2cd7a84c598ffe63c5bf45d88862c2 |
ppc | |
sudo-1.7.2p1-5.el5.ppc.rpm | SHA-256: 586eaec3314132c62d899b37a576551fd61c2a2dcacecc05e0c411fa163433ad |
Red Hat Enterprise Linux Server from RHUI 5
SRPM | |
---|---|
sudo-1.7.2p1-5.el5.src.rpm | SHA-256: f5e4e3a50ed5ea1e4c946f643bdb69767e2cd7a84c598ffe63c5bf45d88862c2 |
x86_64 | |
sudo-1.7.2p1-5.el5.x86_64.rpm | SHA-256: 50b47d6c38b1f33ab1f5a2b8bac6f8e67148b78e93ec549862f1b5d91265d8b9 |
i386 | |
sudo-1.7.2p1-5.el5.i386.rpm | SHA-256: a2c0dfc1e4a776141b42cf929ab99e2472b81ad5ef52f1f9691e4b1243f2e1a7 |
The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.