Bug 848821

Summary: nsswitch.conf update can get lost when glibc updates are installed at the same on a multiarch system
Product: Red Hat Enterprise Linux 5 Reporter: Tom G. Christensen <tgc>
Component: sudoAssignee: Daniel Kopeček <dkopecek>
Status: CLOSED WONTFIX QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 5.8CC: dapospis, dkopecek
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2013-03-13 12:54:35 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Tom G. Christensen 2012-08-16 13:49:21 UTC 
Description of problem:
The current sudo package attempts to add a line to nsswitch.conf if it is missing but it fails it can fail if the update transaction also includes glibc on a multiarch system.
What happens is that due to the multiarch nature two glibc packages will be installed and in some circumstances yum orders the updates in a way that first glibc is updated, then sudo (at which point the added line exists in /etc/nsswitch.conf) and then the other glibc arch is updated which overwrites /etc/nsswitch.conf with the copy included in glibc.

Version-Release number of selected component (if applicable):
sudo-1.7.2p1-14.el5_8.3.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Install a fresh rhel 5.8/x86_64 with sudo and openssl and no updates
2. remove the 'sudoers:' line from /etc/nsswitch.conf
3. yum update sudo openssl glibc

....  
Running Transaction
  Updating       : glibc-common       1/14 
  Updating       : glibc              2/14 
  Updating       : openssl            3/14 
  Updating       : sudo               4/14 
  Updating       : nscd               5/14 
  Updating       : glibc              6/14 
  Updating       : openssl            7/14                
....

Actual results:
# grep sudoers /etc/nsswitch.conf
#

Expected results:
# grep sudoers /etc/nsswitch.conf
sudoers:  files ldap
#


Additional info:
The example with 'sudo openssl glibc' is just one easy way to provoke this issue. Any combination of updates that can trigger sudo being updated in the middle of a glibc multiarch sandwich could cause this problem.
Comment 1 Dalibor Pospíšil 2012-08-16 14:16:57 UTC 
I think that this is correct behavior because if you manually remove the line from nsswitch.conf it should not be automatically recreated.
Comment 2 Tom G. Christensen 2012-08-16 16:43:49 UTC 
Lets see what happens if I revert my test VM and only update sudo:
# rpm -q sudo
sudo-1.7.2p1-13.el5.x86_64
# grep sudoers nsswitch.conf
#
# yum install sudo
....
Running Transaction
  Updating       : sudo                         1/2
...
# rpm -q sudo
sudo-1.7.2p1-14.el5_8.3.x86_64
# grep sudoers nsswitch.conf 
sudoers:  files ldap
#

That does not match the behaviour you describe.