Bug 846764
Summary: | Unsafe replacement of /etc/nsswitch.conf in sudo package postinstall script | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Rob Foehl <rwf> |
Component: | sudo | Assignee: | Daniel Kopeček <dkopecek> |
Status: | CLOSED DUPLICATE | QA Contact: | BaseOS QE Security Team <qe-baseos-security> |
Severity: | urgent | Docs Contact: | |
Priority: | urgent | ||
Version: | 5.8 | CC: | alihamad, dkopecek, jhughes, toracat |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-08-09 08:18:08 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Rob Foehl
2012-08-08 15:48:38 UTC
I'm still not entirely clear on what was intended by the mktemp versions of the post/postun scripts, but something like these would be safer: %post if ! grep -q '^[[:space:]]*sudoers:' /etc/nsswitch.conf; then echo 'sudoers: files ldap' >>/etc/nsswitch.conf fi find /etc/sudoers ! -perm 0440 -exec chmod 0440 {} \; find /etc/nsswitch.conf ! -context \*:etc_t -exec restorecon {} \; %postun if [ $1 = 0 ] && grep -q '^sudoers:[[:space:]]* files ldap$' /etc/nsswitch.conf; then sed -i -e '/^sudoers:[[:space:]]* files ldap$/ d' /etc/nsswitch.conf fi This %post script will also fix any lingering damage from the earlier updates, if necessary. If I have some more time later, I'll work up a proper patch to sudo.spec for these and some additional cleanup. This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux. *** This bug has been marked as a duplicate of bug 846631 *** |