Bug 846764

Summary: Unsafe replacement of /etc/nsswitch.conf in sudo package postinstall script
Product: Red Hat Enterprise Linux 5 Reporter: Rob Foehl <rwf>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED DUPLICATE QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 5.8CC: alihamad, dkopecek, jhughes, toracat
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-09 08:18:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Rob Foehl 2012-08-08 15:48:38 UTC
sudo-1.7.2p1-14.el5_8 and later changed the postinstall script to include a mktemp-based replacement of /etc/nsswitch.conf when trying to modify the sudoers: entry.  If this happens, the file created by mktemp has mode 600 and an incorrect SELinux context, both of which are retained when moved to /etc.  The SELinux issue has already been noted (bug 818585, among others), but the permissions issue is still outstanding.

This effectively breaks name resolution for non-root users for any system which has sudo installed and applies updates newer than 1.7.2p1-13.el5.  Systems affected by either issue can be fixed by running:

  chmod 644 /etc/nsswitch.conf; restorecon /etc/nsswitch.conf

Comment 1 Rob Foehl 2012-08-09 01:57:17 UTC
I'm still not entirely clear on what was intended by the mktemp versions of the post/postun scripts, but something like these would be safer:

%post
if ! grep -q '^[[:space:]]*sudoers:' /etc/nsswitch.conf; then
    echo 'sudoers: files ldap' >>/etc/nsswitch.conf
fi

find /etc/sudoers ! -perm 0440 -exec chmod 0440 {} \;
find /etc/nsswitch.conf ! -context \*:etc_t -exec restorecon {} \;

%postun
if [ $1 = 0 ] && grep -q '^sudoers:[[:space:]]* files ldap$' /etc/nsswitch.conf; then
    sed -i -e '/^sudoers:[[:space:]]* files ldap$/ d' /etc/nsswitch.conf
fi



This %post script will also fix any lingering damage from the earlier updates, if necessary.  If I have some more time later, I'll work up a proper patch to sudo.spec for these and some additional cleanup.

Comment 2 RHEL Program Management 2012-08-09 08:17:28 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 3 Daniel Kopeček 2012-08-09 08:18:08 UTC

*** This bug has been marked as a duplicate of bug 846631 ***