Product SiteDocumentation Site

1.195. sudo

1.195.1. RHSA-2010:0122: Important security update


This update has already been released (prior to the GA of this release) as the security errata RHSA-2010:0122
An updated sudo package that fixes two security issues is now available for Red Hat Enterprise Linux 5.
This update has been rated as having important security impact by the Red Hat Security Response Team.
The sudo (superuser do) utility allows system administrators to give certain users the ability to run commands as root.
A privilege escalation flaw was found in the way sudo handled the sudoedit pseudo-command. If a local user were authorized by the sudoers file to use this pseudo-command, they could possibly leverage this flaw to execute arbitrary code with the privileges of the root user. (CVE-2010-0426)
The sudo utility did not properly initialize supplementary groups when the "runas_default" option (in the sudoers file) was used. If a local user were authorized by the sudoers file to perform their sudo commands under the account specified with "runas_default", they would receive the root user's supplementary groups instead of those of the intended target user, giving them unintended privileges. (CVE-2010-0427)
Users of sudo should upgrade to this updated package, which contains backported patches to correct these issues.

1.195.2. RHBA-2010:0212: bug fix update

An updated sudo package that fixes various bugs is now available.
The sudo (super user do) utility allows system administrators to give certain users the ability to run commands as root with logging.
This update addresses the following issues:
* if runas_default=[value] was set in the sudoers file, running a command such as "sudo -i" returned a collection of system groups rather than switching the current user to the user specified by the runas_default parameter. This has been corrected with this update: setting the runas_default parameter in the sudoers file now works as expected. (BZ#497873)
* the /etc/sudoers configuration file supports expressing ranges such as "[A-Z]" and "[a-z]" when delineating permissions on files. However, the range "[A-z]" (uppercase 'A' to lowercase 'z') was not equivalent to "[A-Za-z]" in certain locales, such as those using the UTF-8 character encoding. With this update, the range "[A-z]" can be used in the sudoers file to restrict access to files with names that use only basic Latin alphabetical characters. (BZ#512191)
* the variable used for iterating wildcards (such as * and !) was being freed incorrectly. As a consequence, situations where a single file with a long file name was the only wildcard match would result in an error, restricting access. The sudo utility now correctly frees the glob iterator, and long file names work as expected with wildcard characters. (BZ#521778)
* visudo is a tool for editing the sudoers file that locks against simultaneous editing and provides other error checking. The visudo tool did not support unused aliases, and as a result any unused aliases in the sudoers file would cause visudo to fail with an error. The visudo tool has been updated to handle unused aliases, and now no longer fails when encountering them in the sudoers file. (BZ#550326)
* user names that are identical to process UIDs (unique identifiers), such as 'proxy', are allowable. Previously, sudo erroneously rejected commands such as 'sudo su - proxy', interpreting the user name as the process UID, resulting in these super users being unable to authenticate. The sudo utility now differentiates between user names and process UIDs, and users authenticate as expected. BZ#500942)
* the requiretty option requires a user to use only a real terminal (TTY). When sudo was used over LDAP (Lightweight Directory Access Protocol), the !requiretty (TTY not required) option was incorrectly interpreted, and access was not granted to users from non-TTY connections. The sudo utility now correctly sets the !requiretty option for LDAP users, and they can connect normally. (BZ#521903)
* the #includedir directive includes the contents of external directories in the current file. The directive was not supported in the sudoers file and sudo utility, and as a result external settings files could not be included. The sudo utility now supports the #includedir directory, and external settings files can be used in the sudoers file. (BZ#538700)
* a bug in the realloc() function caused sudo to crash with a segfault when using a sudoers file with a deep #include structure. This update corrects this. Note: the hard limit of 128 nested include files (enforced to prevent #include file loops) remains. (BZ#561336)
All users of sudo are advised to upgrade to this updated package, which resolves these issues.

Note: This documentation is provided {and copyrighted} by Red Hat®, Inc. and is released via the Open Publication License. The copyright holder has added the further requirement that Distribution of substantively modified versions of this document is prohibited without the explicit permission of the copyright holder. The CentOS project redistributes these original works (in their unmodified form) as a reference for CentOS-5 because CentOS-5 is built from publicly available, open source SRPMS. The documentation is unmodified to be compliant with upstream distribution policy. Neither CentOS-5 nor the CentOS Project are in any way affiliated with or sponsored by Red Hat®, Inc.