RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 615087 - Rebase sudo to version 1.7.3
Summary: Rebase sudo to version 1.7.3
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sudo
Version: 6.1
Hardware: All
OS: Linux
high
medium
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: Milos Malik
URL:
Whiteboard:
: 639682 (view as bug list)
Depends On:
Blocks: 565939 607923
TreeView+ depends on / blocked
 
Reported: 2010-07-15 21:45 UTC by Mike Khusid
Modified: 2017-05-03 17:20 UTC (History)
9 users (show)

Fixed In Version: sudo-1.7.4p5-4.el6
Doc Type: Rebase: Bug Fixes and Enhancements
Doc Text:
Rebased to 1.7.4p5. Notable major changes since 1.7.2p2: - If user has no supplementary groups, sudo will now fall back on checking the group file explicitly, which restores historic sudo behavior. - Suspending and resuming the bash shell when PAM is in use now works properly. The SIGCONT signal was not being propagated to the child process. - Sudo no longer prints a warning when the -k or -K options are specified and the ticket file does not exist. - Time stamp files have moved from /var/run/sudo to /var/db/sudo. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this. - Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" in ldap.conf. - Visudo will now treat an unrecognized Defaults entry as a parse error (sudo will warn but still run). - The tty_tickets option is now on by default. - If PAM is in use, wait until the process has finished before closing the PAM session. - Support for logging a command's input and output as well as the ability to replay sessions. - When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password. - Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching. - Implemented /etc/sudoers.d directory
Clone Of:
Environment:
Last Closed: 2011-05-19 11:46:33 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:0599 0 normal SHIPPED_LIVE Low: sudo security and bug fix update 2011-05-19 11:46:21 UTC

Description Mike Khusid 2010-07-15 21:45:50 UTC 
Description of problem:
http://www.sudo.ws/sudo/stable.html
 Major changes between version 1.7.2p8 and 1.7.3:

    * Support for logging a command's input and output as well as the ability to replay sessions. For more information, see the documentation for the log_input and log_output Defaults options in the sudoers manual. Also see the sudoreplay manual for information on replaying I/O log sessions.

    * The use_pty sudoers option can be used to force a command to be run in a pseudo-pty, even when I/O logging is not enabled.

    * On some systems, sudo can now detect when a user has logged out and back in again when tty-based time stamps are in use. Supported systems include Solaris systems with the devices file system, Mac OS X, and Linux systems with the devpts filesystem (pseudo-ttys only).

    * On AIX systems, the registry setting in /etc/security/user is now taken into account when looking up users and groups. Sudo now applies the correct the user and group ids when running a command as a user whose account details come from a different source (e.g. LDAP or DCE vs. local files).

    * Support for multiple sudoers_base and uri entries in ldap.conf. When multiple entries are listed, sudo will try each one in the order in which they are specified.

    * Sudo's SELinux support should now function correctly when running commands as a non-root user and when one of stdin, stdout or stderr is not a terminal.

    * Sudo will now use the Linux audit system with configure with the --with-linux-audit flag.

    * Sudo now uses mbr_check_membership() on systems that support it to determine group membership. Currently, only Darwin (Mac OS X) supports this.

    * When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.

    * The passwd_timeout and timestamp_timeout options may now be specified as floating point numbers for more granular timeout values.

    * Negating the fqdn option in sudoers now works correctly when sudo is configured with the --with-fqdn option. In previous versions of sudo the fqdn was set before sudoers was parsed. 

Version-Release number of selected component (if applicable):
sudo-1.7.2p2-4.el6.x86_64
Comment 2 RHEL Program Management 2010-07-15 22:17:40 UTC 
This issue has been proposed when we are only considering blocker
issues in the current Red Hat Enterprise Linux release. It has
been denied for the current Red Hat Enterprise Linux release.

** If you would still like this issue considered for the current
release, ask your support representative to file as a blocker on
your behalf. Otherwise ask that it be considered for the next
Red Hat Enterprise Linux release. **
Comment 4 Daniel Kopeček 2010-11-23 10:10:13 UTC 
*** Bug 639682 has been marked as a duplicate of this bug. ***
Comment 7 Daniel Kopeček 2011-01-14 00:34:41 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Rebased to 1.7.4p5. Notable major changes since 1.7.2p2:

- If user has no supplementary groups, sudo will now fall back on checking the group file explicitly, which restores historic sudo behavior.
- Suspending and resuming the bash shell when PAM is in use now works properly. The SIGCONT signal was not being propagated to the child process.
- Sudo no longer prints a warning when the -k or -K options are specified and the ticket file does not exist.
- Time stamp files have moved from /var/run/sudo to /var/db/sudo. This prevents users from receiving the sudo lecture every time the system reboots. Time stamp files older than the boot time are ignored on systems where it is possible to determine this.
- Sudo now recognizes "tls_cacert" as an alias for "tls_cacertfile" in ldap.conf.
- Visudo will now treat an unrecognized Defaults entry as a parse error (sudo will warn but still run).
- The tty_tickets option is now on by default.
- If PAM is in use, wait until the process has finished before closing the PAM session.
- Support for logging a command's input and output as well as the ability to replay sessions.
- When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.
- Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching.
Comment 10 Daniel Kopeček 2011-03-23 17:51:54 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -10,4 +10,5 @@
 - If PAM is in use, wait until the process has finished before closing the PAM session.
 - Support for logging a command's input and output as well as the ability to replay sessions.
 - When the tty_tickets sudoers option is enabled but there is no terminal device, sudo will no longer use or create a tty-based ticket file. Previously, sudo would use a tty name of "unknown". As a consequence, if a user has no terminal device, sudo will now always prompt for a password.
-- Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching.+- Qualify the command even if it is in the current working directory, e.g. "./foo" instead of just returning "foo". This removes an ambiguity between real commands and possible pseudo-commands in command matching.
+- Implemented /etc/sudoers.d directory
Comment 20 errata-xmlrpc 2011-05-19 11:46:33 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHSA-2011-0599.html
Note You need to log in before you can comment on or make changes to this bug.