sudo-1.7.2p1-14.el5_8 and later changed the postinstall script to include a mktemp-based replacement of /etc/nsswitch.conf when trying to modify the sudoers: entry. If this happens, the file created by mktemp has mode 600 and an incorrect SELinux context, both of which are retained when moved to /etc. The SELinux issue has already been noted (bug 818585, among others), but the permissions issue is still outstanding. This effectively breaks name resolution for non-root users for any system which has sudo installed and applies updates newer than 1.7.2p1-13.el5. Systems affected by either issue can be fixed by running: chmod 644 /etc/nsswitch.conf; restorecon /etc/nsswitch.conf
I'm still not entirely clear on what was intended by the mktemp versions of the post/postun scripts, but something like these would be safer: %post if ! grep -q '^[[:space:]]*sudoers:' /etc/nsswitch.conf; then echo 'sudoers: files ldap' >>/etc/nsswitch.conf fi find /etc/sudoers ! -perm 0440 -exec chmod 0440 {} \; find /etc/nsswitch.conf ! -context \*:etc_t -exec restorecon {} \; %postun if [ $1 = 0 ] && grep -q '^sudoers:[[:space:]]* files ldap$' /etc/nsswitch.conf; then sed -i -e '/^sudoers:[[:space:]]* files ldap$/ d' /etc/nsswitch.conf fi This %post script will also fix any lingering damage from the earlier updates, if necessary. If I have some more time later, I'll work up a proper patch to sudo.spec for these and some additional cleanup.
This request was evaluated by Red Hat Product Management for inclusion in the current release of Red Hat Enterprise Linux. Because the affected component is not scheduled to be updated in the current release, Red Hat is unfortunately unable to address this request at this time. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
*** This bug has been marked as a duplicate of bug 846631 ***