8.229. sudo
8.229.1. RHBA-2014:1484 — sudo bug fix update
Updated sudo packages that fix several bugs are now available for Red Hat Enterprise Linux 6.
The sudo packages contain the sudo utility which allows system administrators to provide certain users with the permission to execute privileged commands, which are used for system management purposes, without having to log in as root.
Bug Fixes
- BZ#1006447
- Previously, the sudo utility did not correctly handle the "sudo -ll" command when the System Security Service Daemon (SSSD) was used to get available sudo entries. Consequently, running "sudo -ll" returned incomplete results, as it did not list the rule names of sudo users. A patch has been applied to fix this bug, and "sudo -ll" now lists the rule names as expected when SSSD is used.
- BZ#1006463
- Prior to this update, sudo did not respond correctly to the root user's request to list the privileges for a specified user when SSSD was used. As a consequence, running the "sudo -l -U" command for a certain user as root returned incomplete results, while running the same command as the user worked as expected. The source code has been updated to fix this problem, and executing "sudo -l -U" as root now returns correct results.
- BZ#1052940
- Previously, sudo did not correctly handle the situation when the group specification in the /etc/sudoers file contained escape characters on systems integrated with the Active Directory (AD) service. As a consequence, specifying a custom password prompt for a group containing escape characters did not work, as sudo displayed the default password prompt instead when a member of that group used sudo. A patch has been applied to fix this bug, and setting a custom password prompt now works as expected even if the group specification contains escape characters.
- BZ#1065415
- Previously, the sesh process, when called as "-sesh" by sudo, executed the login shell with an incorrect path name, as it replaced the last slash character in the shell path with a dash while the rest of the path remained unchanged. As a consequence, the login shell was being called as "/bin-[shell]" instead of "-[shell]", which could result in unexpected system behavior. The source code has been updated to fix this bug, and sesh no longer causes this problem.
- BZ#1070952
- Previously, the pam_faillock module did not acknowledge the attempts to terminate sudo login with the Ctrl+C shortcut after the password prompt showed up. As a consequence, sudo continued to try to log in and eventually locked the user out. The problem has been fixed, and even though an attempt terminated with Ctrl+C still counts as one failed attempt to log in, sudo no longer locks the user out.
- BZ#1078338
- Previously, sudo did not correctly handle setting the NIS domain name value as "(none)", as it considered the "(none)" text string a valid domain name. Consequently, the getdomainname() function returned "(none)" as the NIS domain name instead of recognizing that no domain name was set. The source code has been updated to fix this problem, and sudo now handles the described situation correctly.
- BZ#1083064
- Prior to this update, when a sudo rule contained the +netgroup variable in the sudoUser attribute, the system ignored the rest of the sudo rule under certain circumstances. Consequently, executing the "sudo -l" command did not show the complete list of rules configured for the specified user. With this update, the problem has been fixed, and running "sudo -l" now shows the complete list of rules even when a sudo rule contains the +netgroup variable.
Users of sudo are advised to upgrade to these updated packages, which fix these bugs.