Bug 1796518

Summary: [RFE] add optional check for the target user shell
Product: Red Hat Enterprise Linux 8 Reporter: Dalibor Pospíšil <dapospis>
Component: sudoAssignee: Radovan Sroka <rsroka>
Status: CLOSED ERRATA QA Contact: Dalibor Pospíšil <dapospis>
Severity: high Docs Contact:
Priority: high    
Version: 8.2CC: dapospis, huzaifas
Target Milestone: rcKeywords: FutureFeature, Patch, Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.8.29-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:46:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1786708, 1786990    

Description Dalibor Pospíšil 2020-01-30 15:57:01 UTC 
Description of problem:
Add runas_check_shell default option which will cause sudo to test target user shell againts valid system shells from /etc/shells.

This may help to workaround a situation described in likely CVE bz1786708.

Upstream patch:
https://www.sudo.ws/repos/sudo/rev/ed6db31729cd
Comment 6 errata-xmlrpc 2020-04-28 16:46:14 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1804
Comment 7 Doran Moppert 2021-02-02 04:22:31 UTC 
*** Bug 1786990 has been marked as a duplicate of this bug. ***