Chapter 1. Package Updates
252
The sudo utility did not properly initialize supplementary groups when the "runas_default" option
(in the sudoers file) was used. If a local user were authorized by the sudoers file to perform their
sudo commands under the account specified with "runas_default", they would receive the root user's
supplementary groups instead of those of the intended target user, giving them unintended privileges.
(
CVE-2010-0427
2017
)
Users of sudo should upgrade to this updated package, which contains backported patches to correct
these issues.
1.195.2. RHBA-2010:0212: bug fix update
An updated sudo package that fixes various bugs is now available.
The sudo (super user do) utility allows system administrators to give certain users the ability to run
commands as root with logging.
This update addresses the following issues:
* if runas_default=[value] was set in the sudoers file, running a command such as "sudo -i" returned
a collection of system groups rather than switching the current user to the user specified by the
runas_default parameter. This has been corrected with this update: setting the runas_default
parameter in the sudoers file now works as expected. (
BZ#497873
2018
)
* the /etc/sudoers configuration file supports expressing ranges such as "[A-Z]" and "[a-z]" when
delineating permissions on files. However, the range "[A-z]" (uppercase 'A' to lowercase 'z') was not
equivalent to "[A-Za-z]" in certain locales, such as those using the UTF-8 character encoding. With this
update, the range "[A-z]" can be used in the sudoers file to restrict access to files with names that use
only basic Latin alphabetical characters. (
BZ#512191
2019
)
* the variable used for iterating wildcards (such as * and !) was being freed incorrectly. As a
consequence, situations where a single file with a long file name was the only wildcard match would
result in an error, restricting access. The sudo utility now correctly frees the glob iterator, and long file
names work as expected with wildcard characters. (
BZ#521778
2020
)
* visudo is a tool for editing the sudoers file that locks against simultaneous editing and provides other
error checking. The visudo tool did not support unused aliases, and as a result any unused aliases in
the sudoers file would cause visudo to fail with an error. The visudo tool has been updated to handle
unused aliases, and now no longer fails when encountering them in the sudoers file. (
BZ#550326
2021
)
* user names that are identical to process UIDs (unique identifiers), such as 'proxy', are allowable.
Previously, sudo erroneously rejected commands such as 'sudo su - proxy', interpreting the user
name as the process UID, resulting in these super users being unable to authenticate. The sudo
utility now differentiates between user names and process UIDs, and users authenticate as expected.
BZ#
2022
500942)
* the requiretty option requires a user to use only a real terminal (TTY). When sudo was used over
LDAP (Lightweight Directory Access Protocol), the !requiretty (TTY not required) option was incorrectly
2017
https://www.redhat.com/security/data/cve/CVE-2010-0427.html
2018
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=497873
2019
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=512191
2020
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=521778
2021
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=550326
2022
https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=
Summary of Contents for ENTERPRISE LINUX 5.5 - S 2010
Page 10: ...x ...
Page 308: ...298 ...
Page 310: ...300 ...
Page 468: ...458 ...
Page 470: ...460 ...