Bug 846764 - Unsafe replacement of /etc/nsswitch.conf in sudo package postinstall script
Summary: Unsafe replacement of /etc/nsswitch.conf in sudo package postinstall script
Status: CLOSED DUPLICATE of bug 846631
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo
Version: 5.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: BaseOS QE Security Team
Depends On:
TreeView+ depends on / blocked
Reported: 2012-08-08 15:48 UTC by Rob Foehl
Modified: 2012-08-09 08:18 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2012-08-09 08:18:08 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Rob Foehl 2012-08-08 15:48:38 UTC
sudo-1.7.2p1-14.el5_8 and later changed the postinstall script to include a mktemp-based replacement of /etc/nsswitch.conf when trying to modify the sudoers: entry.  If this happens, the file created by mktemp has mode 600 and an incorrect SELinux context, both of which are retained when moved to /etc.  The SELinux issue has already been noted (bug 818585, among others), but the permissions issue is still outstanding.

This effectively breaks name resolution for non-root users for any system which has sudo installed and applies updates newer than 1.7.2p1-13.el5.  Systems affected by either issue can be fixed by running:

  chmod 644 /etc/nsswitch.conf; restorecon /etc/nsswitch.conf

Comment 1 Rob Foehl 2012-08-09 01:57:17 UTC
I'm still not entirely clear on what was intended by the mktemp versions of the post/postun scripts, but something like these would be safer:

if ! grep -q '^[[:space:]]*sudoers:' /etc/nsswitch.conf; then
    echo 'sudoers: files ldap' >>/etc/nsswitch.conf

find /etc/sudoers ! -perm 0440 -exec chmod 0440 {} \;
find /etc/nsswitch.conf ! -context \*:etc_t -exec restorecon {} \;

if [ $1 = 0 ] && grep -q '^sudoers:[[:space:]]* files ldap$' /etc/nsswitch.conf; then
    sed -i -e '/^sudoers:[[:space:]]* files ldap$/ d' /etc/nsswitch.conf

This %post script will also fix any lingering damage from the earlier updates, if necessary.  If I have some more time later, I'll work up a proper patch to sudo.spec for these and some additional cleanup.

Comment 2 RHEL Program Management 2012-08-09 08:17:28 UTC
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.

Comment 3 Daniel Kopeček 2012-08-09 08:18:08 UTC

*** This bug has been marked as a duplicate of bug 846631 ***

Note You need to log in before you can comment on or make changes to this bug.