Bug 615087

Summary: Rebase sudo to version 1.7.3
Product: Red Hat Enterprise Linux 6 Reporter: Mike Khusid <mkhusid>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Milos Malik <mmalik>
Severity: medium Docs Contact:
Priority: high    
Version: 6.1CC: abaron, cpelland, danken, hateya, jofernan, mgoldboi, mmalik, rlerch, sgrubb
Target Milestone: rcKeywords: Rebase
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: sudo-1.7.4p5-4.el6 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Rebased to 1.7.4p5. Notable major changes since 1.7.2p2: - If user has no supplementary groups, sudo will now fall back on checking the group file explicitly, which restores historic sudo behavior. - Suspending and resuming the bash shell when PAM is in use now works properly. The SIGCONT signal was not being propagated to the child process. - Sudo no longer prints a warning when the -k or -K options are specified and the ticket file does not exist. - Time stamp files have moved from /var/run/sudo to /var/db/sudo. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this. - Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" in ldap.conf. - Visudo will now treat an unrecognized Defaults entry as a parse error (sudo will warn but still run). - The tty_tickets option is now on by default. - If PAM is in use, wait until the process has finished before closing the PAM session. - Support for logging a command's input and output as well as the ability to replay sessions. - When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password. - Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching. - Implemented /etc/sudoers.d directory
 Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 11:46:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 565939, 607923    

Description Mike Khusid 2010-07-15 21:45:50 UTC 
Description of problem:
http://www.sudo.ws/sudo/stable.html
 Major changes between version 1.7.2p8 and 1.7.3:

    * Support for logging a command's input and output as well as the ability to replay sessions. For more information, see the documentation for the log_input and log_output Defaults options in the sudoers manual. Also see the sudoreplay manual for information on replaying I/O log sessions.

    * The use_pty sudoers option can be used to force a command to be run in a pseudo-pty, even when I/O logging is not enabled.

    * On some systems, sudo can now detect when a user has logged out and back in again when tty-based time stamps are in use. Supported systems include Solaris systems with the devices file system, Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys only).

    * On AIX systems, the registry setting in /etc/security/user is now taken into account when looking up users and groups. Sudo now applies the correct the user and group ids when running a command as a user whose account details come from a different source (e.g. LDAP or DCE vs. local files).

    * Support for multiple sudoers_base and uri entries in ldap.conf. When multiple entries are listed, sudo will try each one in the order in which they are specified.

    * Sudo's SELinux support should now function correctly when running commands as a non-root user and when one of stdin, stdout or stderr is not a terminal.

    * Sudo will now use the Linux audit system with configure with the --with-linux-audit flag.

    * Sudo now uses mbr_check_membership() on systems that support it to determine group membership. Currently, only Darwin (Mac OS X) supports this.

    * When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.

    * The passwd_timeout and timestamp_timeout options may now be specified as floating point numbers for more granular timeout values.

    * Negating the fqdn option in sudoers now works correctly when sudo is configured with the --with-fqdn option. In previous versions of sudo the fqdn was set before sudoers was parsed. 

Version-Release number of selected component (if applicable):
sudo-1.7.2p2-4.el6.x86_64
Comment 2 RHEL Program Management 2010-07-15 22:17:40 UTC 
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release. It has
been denied for the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 4 Daniel Kopeček 2010-11-23 10:10:13 UTC 
*** Bug 639682 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Kopeček 2011-01-14 00:34:41 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Rebased to 1.7.4p5. Notable major changes since 1.7.2p2:

- If user has no supplementary groups, sudo will now fall back on checking the group file explicitly, which restores historic sudo behavior.
- Suspending and resuming the bash shell when PAM is in use now works properly. The SIGCONT signal was not being propagated to the child process.
- Sudo no longer prints a warning when the -k or -K options are specified and the ticket file does not exist.
- Time stamp files have moved from /var/run/sudo to /var/db/sudo. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this.
- Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" in ldap.conf.
- Visudo will now treat an unrecognized Defaults entry as a parse error (sudo will warn but still run).
- The tty_tickets option is now on by default.
- If PAM is in use, wait until the process has finished before closing the PAM session.
- Support for logging a command's input and output as well as the ability to replay sessions.
- When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.
- Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching.
Comment 10 Daniel Kopeček 2011-03-23 17:51:54 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -10,4 +10,5 @@
 - If PAM is in use, wait until the process has finished before closing the PAM session.
 - Support for logging a command's input and output as well as the ability to replay sessions.
 - When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.
-- Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching.+- Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching.
+- Implemented /etc/sudoers.d directory
Comment 20 errata-xmlrpc 2011-05-19 11:46:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0599.html