Bug 846764 - Unsafe replacement of /etc/nsswitch.conf in sudo package postinstall script
Unsafe replacement of /etc/nsswitch.conf in sudo package postinstall script
Status: CLOSED DUPLICATE of bug 846631
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo (Show other bugs)
5.8
Unspecified Unspecified
urgent Severity urgent
: rc
: ---
Assigned To: Daniel Kopeček
BaseOS QE Security Team
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-08 11:48 EDT by Rob Foehl
Modified: 2012-08-09 04:18 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-08-09 04:18:08 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Rob Foehl 2012-08-08 11:48:38 EDT
sudo-1.7.2p1-14.el5_8 and later changed the postinstall script to include a mktemp-based replacement of /etc/nsswitch.conf when trying to modify the sudoers: entry.  If this happens, the file created by mktemp has mode 600 and an incorrect SELinux context, both of which are retained when moved to /etc.  The SELinux issue has already been noted (bug 818585, among others), but the permissions issue is still outstanding.

This effectively breaks name resolution for non-root users for any system which has sudo installed and applies updates newer than 1.7.2p1-13.el5.  Systems affected by either issue can be fixed by running:

  chmod 644 /etc/nsswitch.conf; restorecon /etc/nsswitch.conf
Comment 1 Rob Foehl 2012-08-08 21:57:17 EDT
I'm still not entirely clear on what was intended by the mktemp versions of the post/postun scripts, but something like these would be safer:

%post
if ! grep -q '^[[:space:]]*sudoers:' /etc/nsswitch.conf; then
    echo 'sudoers: files ldap' >>/etc/nsswitch.conf
fi

find /etc/sudoers ! -perm 0440 -exec chmod 0440 {} \;
find /etc/nsswitch.conf ! -context \*:etc_t -exec restorecon {} \;

%postun
if [ $1 = 0 ] && grep -q '^sudoers:[[:space:]]* files ldap$' /etc/nsswitch.conf; then
    sed -i -e '/^sudoers:[[:space:]]* files ldap$/ d' /etc/nsswitch.conf
fi



This %post script will also fix any lingering damage from the earlier updates, if necessary.  If I have some more time later, I'll work up a proper patch to sudo.spec for these and some additional cleanup.
Comment 2 RHEL Product and Program Management 2012-08-09 04:17:28 EDT
This request was evaluated by Red Hat Product Management for
inclusion in the current release of Red Hat Enterprise Linux.
Because the affected component is not scheduled to be updated in the
current release, Red Hat is unfortunately unable to address this
request at this time. Red Hat invites you to ask your support
representative to propose this request, if appropriate and relevant,
in the next release of Red Hat Enterprise Linux.
Comment 3 Daniel Kopeček 2012-08-09 04:18:08 EDT

*** This bug has been marked as a duplicate of bug 846631 ***

Note You need to log in before you can comment on or make changes to this bug.