Bug 759480
| Summary: | Rebase sudo to 1.8 in RHEL 6.4 | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Jakub Hrozek <jhrozek> | |
| Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> | |
| Status: | CLOSED ERRATA | QA Contact: | Aleš Mareček <amarecek> | |
| Severity: | high | Docs Contact: | ||
| Priority: | urgent | |||
| Version: | 6.3 | CC: | amarecek, dcleal, dgregor, dpal, ebenes, jbainbri, jhrozek, ksrot, pvrabec, rleander, sgallagh | |
| Target Milestone: | rc | Keywords: | Rebase, Reopened | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sudo-1.8.6p3-1.el6 | Doc Type: | Rebase: Bug Fixes and Enhancements | |
| Doc Text: |
Important: if this rebase instead contains *only bug fixes,* or *only enhancements*, select the correct option from the Doc Type drop-down list.
Rebase package(s) to version:
1.8.6p3
Highlights, important fixes, or notable enhancements:
- plugin API, provided by the new -devel subpackage
- sudoers is now implemented as a policy plugin
- Support for using the System Security Services Daemon (SSSD) as a source of sudoers data
- new configuration file /etc/sudo.conf for sudo frontend configuration (plugin path, coredumps, debugging, ...)
- The -D flag in sudo has been replaced with a more general debugging framework that is configured in sudo.conf
- The deprecated "noexec_file" sudoers option is no longer supported
- The "noexec" functionality has been moved out of the sudoers policy plugin and into the sudo front-end, which matches the behavior documented in the plugin writer's guide. As a result, the path to the noexec file is now specified in the sudo.conf file instead of the sudoers file
- If a user fails to authenticate and the command would be rejected by sudoers, it is now logged with command not allowed instead of N incorrect password attempts. Likewise, the mail_no_perms sudoers option now takes precedence over mail_badpass
- If the user is a member of the exempt group in sudoers, they will no longer be prompted for a password even if the -k flag is specified with the command. This makes sudo -k command consistent with the behavior one would get if the user ran sudo -k immediately before running the command.
- If the user specifes a group via sudo's -g option that matches the
target user's group in the password database, it is now allowed even if no groups are present in the Runas_Spec.
- A group ID (%#gid) may now be specified in a User_List or
Runas_List. Likewise, for non-Unix groups the syntax is %:#gid.
- visudo will now fix the mode on the sudoers file even if no changes are made unless the -f option is specified.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 971009 (view as bug list) | Environment: | ||
| Last Closed: | 2013-02-21 09:44:01 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 761573, 782183, 791327, 840699, 971009 | |||
|
Description
Jakub Hrozek
2011-12-02 13:47:10 UTC
Quality Engineering Management has reviewed and declined this request. You may appeal this decision by reopening this request. Here is a summary of relevant changes, new features, etc. generated from the changelog for versions 1.7.4p5 -> 1.8.5 New features: ------------- * Good news for QA: regression tests from upstream are included in the tarball * Support for including sudoers files/directories #includedir. It's possible to implement an /etc/sudoers.d directory. * Plugins + plugin API. * new configuration file /etc/sudo.conf * It is now possible to prevent the disabling of core dumps from within sudo itself by adding a line to the sudo.conf file like Set disable_coredump false. * It is now possible to specify the sudoers path, uid, gid and file mode as options to the plugin in the sudo.conf file. * A new group provider plugin, system_group, is included which performs group look ups by name using the system groups database. This can be used to restore the pre-1.7.3 sudo group lookup behavior. Changes in behaviour -------------------- * If the user specifes a group via sudo's -g option that matches the target user's group in the password database, it is now allowed even if no groups are present in the Runas_Spec. * Group ownership of the sudoers file is now only enforced when the file mode on sudoers allows group readability or writability. * The NOPASSWD tag is now honored for denied commands too, which matches historic sudo behavior (prior to sudo 1.7.0). * When matching groups in the sudoers file, sudo will now match based on the name of the group instead of the group ID. This can substantially reduce the number of group lookups for sudoers files that contain a large number of groups. * Sudo will now create an entry in the utmp (or utmpx) file when allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp" and "utmp_runas" sudoers file options can be used to control this. Other policy plugins may use the "set_utmp" and "utmp_user" entries in the command_info list. * Spaces in command line arguments for sudo -s and sudo -i are now escaped with a backslash when checking the security policy. * If the group vector is to be preserved, the PATH search for the command is now done with the user's original group vector. * On systems with an SVR4-style /proc file system, the /proc/pid/psinfo file is now uses to determine the controlling terminal, if possible. This allows tty-based tickets to work properly even when, e.g. standard input, output and error are redirected to /dev/null. * The user/group/mode checks on sudoers files have been relaxed. As long as the file is owned by the sudoers uid, not world-writable and not writable by a group other than the sudoers gid, the file is considered OK. Note that visudo will still set the mode to the value specified at configure time. * When "noexec" is enabled, sudo_noexec.so will now be prepended to any existing LD_PRELOAD variable instead of replacing it. * The sudo_noexec.so shared library now wraps the execvpe(), exect(), posix_spawn() and posix_spawnp() functions. * /etc/environment is no longer read directly on Linux systems when PAM is used. Sudo now merges the PAM environment into the user's environment which is typically set by the pam_env module. * If none of the standard input, output or error are connected to a tty device, sudo will now check its parent's standard input, output or error for the tty name on systems with /proc and BSD systems that support the KERN_PROC_PID sysctl. This allows tty-based tickets to work properly even when, e.g. standard input, output and error are redirected to /dev/null. Backwards incompatible changes: ------------------------------- * The -D flag in sudo has been replaced with a more general debugging framework that is configured in sudo.conf. * The deprecated "noexec_file" sudoers option is no longer supported. * The "noexec" functionality has been moved out of the sudoers policy plugin and into the sudo front-end, which matches the behavior documented in the plugin writer's guide. As a result, the path to the noexec file is now specified in the sudo.conf file instead of the sudoers file. sudoers: -------- * A group ID (%#gid) may now be specified in a User_List or Runas_List. Likewise, for non-Unix groups the syntax is %:#gid. * Support for double-quoted words in the sudoers file has been fixed. The change in 1.7.5 for escaping the double quote character caused the double quoting to only be available at the beginning of an entry. * White space is now permitted within a User_List when used in conjunction with a per-user Defaults definition. visudo: ------- * visudo -c will now list any include files that were checked in addition to the main sudoers file when everything parses OK. * Users that only have read-only access to the sudoers file may now run visudo -c. Previously, write permissions were required even though no writing is done in check-only mode. * When visudo is run with the -c (check) option, the sudoers file(s) owner and mode are now also checked unless the -f option was specified. * visudo will now fix the mode on the sudoers file even if no changes are made unless the -f option is specified. * Visudo no longer assumes all editors support the +linenumber command line argument. It now uses a whitelist of editors known to support the option. * Visudo now checks the contents of an alias and warns about cycles when the alias is expanded. LDAP: ----- * LDAP-based sudoers may now access by group ID in addition to group name. * For LDAP-based sudoers, values in the search expression are now escaped as per RFC 4515. * Sudo now honors the DEREF setting in ldap.conf which controls how alias dereferencing is done during an LDAP search. * Added support for non-RFC 4517 compliant LDAP servers that require that seconds be present in a timestamp, such as Tivoli Directory Server. * For LDAP-based sudoers, the runas_default sudoOption now works properly in a sudoRole that contains a sudoCommand. * Removed extraneous parens in LDAP filter when sudoers_search_filter is enabled that can cause an LDAP search error. * A new LDAP setting, sudoers_search_filter, has been added to ldap.conf. This setting can be used to restrict the set of records returned by the LDAP query. 1.8.6 is out, this release contains the SSSD patch. However, the release tarball doesn't contain the sssd.c file and sudo won't compile with the --with-sssd flag. I've noticed upstream about this and I think that it will be corrected in 1.8.6p1. As soon as that release is out I'm going to update to that version in Fedora (probably this week). Relevant changes since 1.8.5: ----------------------------- * If the user is a member of the exempt group in sudoers, they will no longer be prompted for a password even if the -k flag is specified with the command. This makes sudo -k command consistent with the behavior one would get if the user ran sudo -k immediately before running the command. * The sudoers file may now be a symbolic link. Previously, sudo would refuse to read sudoers unless it was a regular file. * When constructing a time filter for use with LDAP sudoNotBefore and sudoNotAfter attributes, the current time now includes tenths of a second. This fixes a problem with timed entries on Active Directory. * If a user fails to authenticate and the command would be rejected by sudoers, it is now logged with command not allowed instead of N incorrect password attempts. Likewise, the mail_no_perms sudoers option now takes precedence over mail_badpass * Support for using the System Security Services Daemon (SSSD) as a source of sudoers data. * Visudo will now warn about unknown Defaults entries that are per-host, per-user, per-runas or per-command. Thank you Dan. @QE: please ensure that changes from #c26 are retested. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-0363.html |