Bug 759480

Summary: Rebase sudo to 1.8 in RHEL 6.4
Product: Red Hat Enterprise Linux 6 Reporter: Jakub Hrozek <jhrozek>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED ERRATA QA Contact: Aleš Mareček <amarecek>
Severity: high Docs Contact:
Priority: urgent    
Version: 6.3CC: amarecek, dcleal, dgregor, dpal, ebenes, jbainbri, jhrozek, ksrot, pvrabec, rleander, sgallagh
Target Milestone: rcKeywords: Rebase, Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: sudo-1.8.6p3-1.el6 Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Important: if this rebase instead contains *only bug fixes,* or *only enhancements*, select the correct option from the Doc Type drop-down list. Rebase package(s) to version: 1.8.6p3 Highlights, important fixes, or notable enhancements: - plugin API, provided by the new -devel subpackage - sudoers is now implemented as a policy plugin - Support for using the System Security Services Daemon (SSSD) as a source of sudoers data - new configuration file /etc/sudo.conf for sudo frontend configuration (plugin path, coredumps, debugging, ...) - The -D flag in sudo has been replaced with a more general debugging framework that is configured in sudo.conf - The deprecated "noexec_file" sudoers option is no longer supported - The "noexec" functionality has been moved out of the sudoers policy plugin and into the sudo front-end, which matches the behavior documented in the plugin writer's guide. As a result, the path to the noexec file is now specified in the sudo.conf file instead of the sudoers file - If a user fails to authenticate and the command would be rejected by sudoers, it is now logged with command not allowed instead of N incorrect password attempts. Likewise, the mail_no_perms sudoers option now takes precedence over mail_badpass - If the user is a member of the exempt group in sudoers, they will no longer be prompted for a password even if the -k flag is specified with the command. This makes sudo -k command consistent with the behavior one would get if the user ran sudo -k immediately before running the command. - If the user specifes a group via sudo's -g option that matches the target user's group in the password database, it is now allowed even if no groups are present in the Runas_Spec. - A group ID (%#gid) may now be specified in a User_List or Runas_List. Likewise, for non-Unix groups the syntax is %:#gid. - visudo will now fix the mode on the sudoers file even if no changes are made unless the -f option is specified.
Story Points: ---
Clone Of:
: 971009 (view as bug list) Environment:
Last Closed: 2013-02-21 04:44:01 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On:    
Bug Blocks: 782183, 791327, 761573, 840699, 971009    

Description Jakub Hrozek 2011-12-02 08:47:10 EST
Description of problem:
Sudo should be rebased to version 1.8 in RHEL6.3 to pull in new features, mainly the plugin support that is needed for the sudo/SSSD integration.
Comment 11 RHEL Product and Program Management 2012-02-07 10:35:34 EST
Quality Engineering Management has reviewed and declined this request.  You may
appeal this decision by reopening this request.
Comment 17 Daniel Kopeček 2012-07-11 07:27:50 EDT
Here is a summary of relevant changes, new features, etc. generated from the changelog for versions 1.7.4p5 -> 1.8.5

New features:
-------------
* Good news for QA: regression tests from upstream are included in the tarball

* Support for including sudoers files/directories #includedir. It's
   possible to implement an /etc/sudoers.d directory.

* Plugins + plugin API.

* new configuration file /etc/sudo.conf

* It is now possible to prevent the disabling of core dumps from
  within sudo itself by adding a line to the sudo.conf file like Set
  disable_coredump false.

* It is now possible to specify the sudoers path, uid, gid and file
  mode as options to the plugin in the sudo.conf file. 

* A new group provider plugin, system_group, is included which
  performs group look ups by name using the system groups
  database. This can be used to restore the pre-1.7.3 sudo group
  lookup behavior.

Changes in behaviour
--------------------

* If the user specifes a group via sudo's -g option that matches the
  target user's group in the password database, it is now allowed even
  if no groups are present in the Runas_Spec.

* Group ownership of the sudoers file is now only enforced when the
  file mode on sudoers allows group readability or writability.

* The NOPASSWD tag is now honored for denied commands too, which
  matches historic sudo behavior (prior to sudo 1.7.0).

* When matching groups in the sudoers file, sudo will now match based
  on the name of the group instead of the group ID. This can
  substantially reduce the number of group lookups for sudoers files
  that contain a large number of groups.

* Sudo will now create an entry in the utmp (or utmpx) file when
  allocating a pseudo-tty (e.g. when logging I/O). The "set_utmp" and
  "utmp_runas" sudoers file options can be used to control this. Other
  policy plugins may use the "set_utmp" and "utmp_user" entries in the
  command_info list.

* Spaces in command line arguments for sudo -s and sudo -i are now
  escaped with a backslash when checking the security policy.

* If the group vector is to be preserved, the PATH search for the
  command is now done with the user's original group vector.

* On systems with an SVR4-style /proc file system, the
  /proc/pid/psinfo file is now uses to determine the controlling
  terminal, if possible. This allows tty-based tickets to work
  properly even when, e.g. standard input, output and error are
  redirected to /dev/null.

* The user/group/mode checks on sudoers files have been relaxed. As
  long as the file is owned by the sudoers uid, not world-writable and
  not writable by a group other than the sudoers gid, the file is
  considered OK. Note that visudo will still set the mode to the value
  specified at configure time.

* When "noexec" is enabled, sudo_noexec.so will now be prepended to
  any existing LD_PRELOAD variable instead of replacing it.

* The sudo_noexec.so shared library now wraps the execvpe(), exect(),
  posix_spawn() and posix_spawnp() functions.

* /etc/environment is no longer read directly on Linux systems when
  PAM is used. Sudo now merges the PAM environment into the user's
  environment which is typically set by the pam_env module. 

* If none of the standard input, output or error are connected to a
  tty device, sudo will now check its parent's standard input, output
  or error for the tty name on systems with /proc and BSD systems that
  support the KERN_PROC_PID sysctl. This allows tty-based tickets to
  work properly even when, e.g. standard input, output and error are
  redirected to /dev/null.

Backwards incompatible changes:
-------------------------------
* The -D flag in sudo has been replaced with a more general debugging
  framework that is configured in sudo.conf.

* The deprecated "noexec_file" sudoers option is no longer supported.

* The "noexec" functionality has been moved out of the sudoers policy
  plugin and into the sudo front-end, which matches the behavior
  documented in the plugin writer's guide. As a result, the path to
  the noexec file is now specified in the sudo.conf file instead of
  the sudoers file.

sudoers:
--------

* A group ID (%#gid) may now be specified in a User_List or
  Runas_List. Likewise, for non-Unix groups the syntax is %:#gid.

* Support for double-quoted words in the sudoers file has been
  fixed. The change in 1.7.5 for escaping the double quote character
  caused the double quoting to only be available at the beginning of
  an entry.

* White space is now permitted within a User_List when used in
  conjunction with a per-user Defaults definition.


visudo:
-------
* visudo -c will now list any include files that were checked in
  addition to the main sudoers file when everything parses OK.

* Users that only have read-only access to the sudoers file may now
  run visudo -c. Previously, write permissions were required even
  though no writing is done in check-only mode.

* When visudo is run with the -c (check) option, the sudoers file(s)
  owner and mode are now also checked unless the -f option was
  specified. 

* visudo will now fix the mode on the sudoers file even if no changes
  are made unless the -f option is specified.

* Visudo no longer assumes all editors support the +linenumber command
  line argument. It now uses a whitelist of editors known to support
  the option.

* Visudo now checks the contents of an alias and warns about cycles
  when the alias is expanded.


LDAP:
-----
* LDAP-based sudoers may now access by group ID in addition to group
  name.

* For LDAP-based sudoers, values in the search expression are now
  escaped as per RFC 4515.

* Sudo now honors the DEREF setting in ldap.conf which controls how
  alias dereferencing is done during an LDAP search.

* Added support for non-RFC 4517 compliant LDAP servers that require
  that seconds be present in a timestamp, such as Tivoli Directory
  Server.

* For LDAP-based sudoers, the runas_default sudoOption now works
  properly in a sudoRole that contains a sudoCommand.

* Removed extraneous parens in LDAP filter when sudoers_search_filter
  is enabled that can cause an LDAP search error.

* A new LDAP setting, sudoers_search_filter, has been added to
  ldap.conf. This setting can be used to restrict the set of records
  returned by the LDAP query.
Comment 26 Daniel Kopeček 2012-09-04 07:59:12 EDT
1.8.6 is out, this release contains the SSSD patch. However, the release tarball doesn't contain the sssd.c file and sudo won't compile with the --with-sssd flag. I've noticed upstream about this and I think that it will be corrected in 1.8.6p1. As soon as that release is out I'm going to update to that version in Fedora (probably this week).


Relevant changes since 1.8.5:
-----------------------------

* If the user is a member of the exempt group in sudoers, they will no longer be prompted for a password even if the -k flag is specified with the command. This makes sudo -k command consistent with the behavior one would get if the user ran sudo -k immediately before running the command.

* The sudoers file may now be a symbolic link. Previously, sudo would refuse to read sudoers unless it was a regular file.

* When constructing a time filter for use with LDAP sudoNotBefore and sudoNotAfter attributes, the current time now includes tenths of a second. This fixes a problem with timed entries on Active Directory.

* If a user fails to authenticate and the command would be rejected by sudoers, it is now logged with command not allowed instead of N incorrect password attempts. Likewise, the mail_no_perms sudoers option now takes precedence over mail_badpass

* Support for using the System Security Services Daemon (SSSD) as a source of sudoers data.

* Visudo will now warn about unknown Defaults entries that are per-host, per-user, per-runas or per-command.
Comment 27 Karel Srot 2012-09-25 04:20:20 EDT
Thank you Dan.
@QE: please ensure that changes from #c26 are retested.
Comment 35 errata-xmlrpc 2013-02-21 04:44:01 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-0363.html