8.229. sudo

Bug Fixes

BZ#1006447

Previously, the sudo utility did not correctly handle the "sudo -ll" command when the System Security Service Daemon (SSSD) was used to get available sudo entries. Consequently, running "sudo -ll" returned incomplete results, as it did not list the rule names of sudo users. A patch has been applied to fix this bug, and "sudo -ll" now lists the rule names as expected when SSSD is used.

BZ#1006463

Prior to this update, sudo did not respond correctly to the root user's request to list the privileges for a specified user when SSSD was used. As a consequence, running the "sudo -l -U" command for a certain user as root returned incomplete results, while running the same command as the user worked as expected. The source code has been updated to fix this problem, and executing "sudo -l -U" as root now returns correct results.

BZ#1052940

Previously, sudo did not correctly handle the situation when the group specification in the /etc/sudoers file contained escape characters on systems integrated with the Active Directory (AD) service. As a consequence, specifying a custom password prompt for a group containing escape characters did not work, as sudo displayed the default password prompt instead when a member of that group used sudo. A patch has been applied to fix this bug, and setting a custom password prompt now works as expected even if the group specification contains escape characters.

BZ#1065415

Previously, the sesh process, when called as "-sesh" by sudo, executed the login shell with an incorrect path name, as it replaced the last slash character in the shell path with a dash while the rest of the path remained unchanged. As a consequence, the login shell was being called as "/bin-[shell]" instead of "-[shell]", which could result in unexpected system behavior. The source code has been updated to fix this bug, and sesh no longer causes this problem.

BZ#1070952

Previously, the pam_faillock module did not acknowledge the attempts to terminate sudo login with the Ctrl+C shortcut after the password prompt showed up. As a consequence, sudo continued to try to log in and eventually locked the user out. The problem has been fixed, and even though an attempt terminated with Ctrl+C still counts as one failed attempt to log in, sudo no longer locks the user out.

BZ#1078338

Previously, sudo did not correctly handle setting the NIS domain name value as "(none)", as it considered the "(none)" text string a valid domain name. Consequently, the getdomainname() function returned "(none)" as the NIS domain name instead of recognizing that no domain name was set. The source code has been updated to fix this problem, and sudo now handles the described situation correctly.

BZ#1083064

Prior to this update, when a sudo rule contained the +netgroup variable in the sudoUser attribute, the system ignored the rest of the sudo rule under certain circumstances. Consequently, executing the "sudo -l" command did not show the complete list of rules configured for the specified user. With this update, the problem has been fixed, and running "sudo -l" now shows the complete list of rules even when a sudo rule contains the +netgroup variable.