CentOS Bug Tracker - CentOS-5
View Issue Details
0005883CentOS-5sudopublic2012-08-08 14:502012-08-15 11:16
PlatformOSOS Version5.8
Product Version5.8 
Target VersionFixed in Version5.8 
Summary0005883: Post-install script for sudo sets /etc/nsswitch.conf to mode 600
DescriptionUnder certain circumstances, the use of mktemp in the post-install script for sudo creates an 0600 root:root file in /tmp/ and then moves it to /etc/nsswitch.conf

This is unreadable by the users and breaks any hostnames in /etc/hosts , as well as any custom nsswitch dependencies like NIS before DNS.

Permissions on /etc/nsswitch.conf should be 0644

This only occurs in nsswitch.conf files with an existing "sudoers:" line. If there is no "sudoers:" line, the resulting permissions are 0644.
Steps To ReproduceRun the post-install script from sudo-1.7.2p1-14.el5_8.2 against the attached nsswitch.conf

if grep -q '^sudoers: files ldap$' "/etc/nsswitch.conf"; then
   grep -v '^sudoers: files ldap$' "/etc/nsswitch.conf" > "$NSSWITCH_TMPFILE" && \
   mv -f "$NSSWITCH_TMPFILE" "/etc/nsswitch.conf"
   restorecon "/etc/nsswitch.conf"

if ! grep -q '^[[:space:]]*sudoers:' "/etc/nsswitch.conf"; then
   # No "sudoers:" line in nsswitch.conf, add a default one
   echo "sudoers: files ldap" >> "/etc/nsswitch.conf"
   restorecon "/etc/nsswitch.conf"
TagsNo tags attached.
has duplicate 0005896closed kbsingh@karan.org Incorrect permission for '/etc/nsswitch.conf' (glibc-2.5-81.el5_8.4) 
Attached Files? nsswitch.conf (1,716) 2012-08-08 14:50

2012-08-08 19:09   
(Last edited: 2012-08-09 13:52)
This has been submitted upstream:


Also addressed in the following:



2012-08-10 06:54   
I can confirm this bug just happened to me. After the update nsswitch.conf had 600 permissions.

This bug should have a critical priority, since this can break any service that is ran by a non-root user and it needs to resolve host names. I had a problem with PostgreSQL, since it couldn't resolve "localhost" and it didn't want to start.
2012-08-13 12:16   
In 844420 at RedHat they claim to have it
  Fixed In Version: sudo-1.7.2p1-14.el5_8.1

However this CentOS-bug says it's reproducible in sudo-1.7.2p1-14.el5_8.2.

So is there a fix already? Is it available in CentOS?
2012-08-13 12:25   
neufeind, the relevant RH bug is 846631.
2012-08-13 15:08   
upstream released sudo-1.7.2p1-14.el5_8.3. According to the RHBA this specific issue should be fixed (http://rhn.redhat.com/errata/RHBA-2012-1160.html)
2012-08-13 17:14   
Update released: http://lists.centos.org/pipermail/centos-announce/2012-August/018796.html
2012-08-13 17:15   
Thanks. And I just discovered that CentOS meanwhile also ships that version 8.3.

Permissions are still correct after upgrading to that version.

Changelog says:
* Fri Aug 10 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p1-14.3
- don't use a temporary file when modifying nsswitch.conf
- fix permissions on nsswitch.conf, if needed

So I guess this ticket can be declared fixed.
2012-08-14 18:45   
Any further feedback on this issue - it appears to be fixed?

2012-08-15 11:16   
Fixed as per reporterss feedback with this errata http://lists.centos.org/pipermail/centos-announce/2012-August/018796.html

Issue History
2012-08-08 14:50jodie.cunninghamNew Issue
2012-08-08 14:50jodie.cunninghamFile Added: nsswitch.conf
2012-08-08 19:09JohnnyHughesNote Added: 0015610
2012-08-08 20:53toracatStatusnew => confirmed
2012-08-09 13:52JohnnyHughesNote Edited: 0015610bug_revision_view_page.php?bugnote_id=15610#r140
2012-08-10 06:54strahinjakNote Added: 0015617
2012-08-13 12:16neufeindNote Added: 0015631
2012-08-13 12:25jodie.cunninghamNote Added: 0015632
2012-08-13 15:08tigalchNote Added: 0015634
2012-08-13 17:14tigalchNote Added: 0015635
2012-08-13 17:15neufeindNote Added: 0015636
2012-08-14 18:45tigalchNote Added: 0015650
2012-08-14 18:45tigalchStatusconfirmed => feedback
2012-08-14 18:45tigalchNote Edited: 0015650bug_revision_view_page.php?bugnote_id=15650#r142
2012-08-15 10:56rangeRelationship addedhas duplicate 0005896
2012-08-15 11:16tigalchNote Added: 0015657
2012-08-15 11:16tigalchStatusfeedback => resolved
2012-08-15 11:16tigalchFixed in Version => 5.8
2012-08-15 11:16tigalchResolutionopen => fixed