2017-12-12 10:10 UTC

View Issue Details Jump to Notes ]
IDProjectCategoryView StatusLast Update
0005883CentOS-5sudopublic2012-08-15 11:16
Reporterjodie.cunningham 
PrioritynormalSeveritymajorReproducibilityalways
StatusresolvedResolutionfixed 
PlatformOSOS Version5.8
Product Version5.8 
Target VersionFixed in Version5.8 
Summary0005883: Post-install script for sudo sets /etc/nsswitch.conf to mode 600
DescriptionUnder certain circumstances, the use of mktemp in the post-install script for sudo creates an 0600 root:root file in /tmp/ and then moves it to /etc/nsswitch.conf

This is unreadable by the users and breaks any hostnames in /etc/hosts , as well as any custom nsswitch dependencies like NIS before DNS.

Permissions on /etc/nsswitch.conf should be 0644

This only occurs in nsswitch.conf files with an existing "sudoers:" line. If there is no "sudoers:" line, the resulting permissions are 0644.
Steps To ReproduceRun the post-install script from sudo-1.7.2p1-14.el5_8.2 against the attached nsswitch.conf


postinstall:
if grep -q '^sudoers: files ldap$' "/etc/nsswitch.conf"; then
   NSSWITCH_TMPFILE=$(mktemp)
   grep -v '^sudoers: files ldap$' "/etc/nsswitch.conf" > "$NSSWITCH_TMPFILE" && \
   mv -f "$NSSWITCH_TMPFILE" "/etc/nsswitch.conf"
   restorecon "/etc/nsswitch.conf"
fi

if ! grep -q '^[[:space:]]*sudoers:' "/etc/nsswitch.conf"; then
   # No "sudoers:" line in nsswitch.conf, add a default one
   echo "sudoers: files ldap" >> "/etc/nsswitch.conf"
   restorecon "/etc/nsswitch.conf"
fi
TagsNo tags attached.
Attached Files

-Relationships
has duplicate 0005896closedkbsingh@karan.org Incorrect permission for '/etc/nsswitch.conf' (glibc-2.5-81.el5_8.4) 
+Relationships

-Notes

~0015610

JohnnyHughes (administrator)

Last edited: 2012-08-09 13:52

View 2 revisions

This has been submitted upstream:

http://bugzilla.redhat.com/show_bug.cgi?id=844420

Also addressed in the following:

http://bugzilla.redhat.com/show_bug.cgi?id=846631

http://bugzilla.redhat.com/show_bug.cgi?id=846764

~0015617

strahinjak (reporter)

I can confirm this bug just happened to me. After the update nsswitch.conf had 600 permissions.

This bug should have a critical priority, since this can break any service that is ran by a non-root user and it needs to resolve host names. I had a problem with PostgreSQL, since it couldn't resolve "localhost" and it didn't want to start.

~0015631

neufeind (reporter)

In 844420 at RedHat they claim to have it
  Fixed In Version: sudo-1.7.2p1-14.el5_8.1

However this CentOS-bug says it's reproducible in sudo-1.7.2p1-14.el5_8.2.

So is there a fix already? Is it available in CentOS?

~0015632

jodie.cunningham (reporter)

neufeind, the relevant RH bug is 846631.

~0015634

tigalch (manager)

upstream released sudo-1.7.2p1-14.el5_8.3. According to the RHBA this specific issue should be fixed (http://rhn.redhat.com/errata/RHBA-2012-1160.html)

~0015635

tigalch (manager)

Update released: http://lists.centos.org/pipermail/centos-announce/2012-August/018796.html

~0015636

neufeind (reporter)

Thanks. And I just discovered that CentOS meanwhile also ships that version 8.3.

Permissions are still correct after upgrading to that version.

Changelog says:
* Fri Aug 10 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p1-14.3
- don't use a temporary file when modifying nsswitch.conf
- fix permissions on nsswitch.conf, if needed

So I guess this ticket can be declared fixed.

~0015650

tigalch (manager)

Last edited: 2012-08-14 18:45

View 2 revisions

Any further feedback on this issue - it appears to be fixed?

~0015657

tigalch (manager)

Fixed as per reporterss feedback with this errata http://lists.centos.org/pipermail/centos-announce/2012-August/018796.html
+Notes

-Issue History
Date Modified Username Field Change
2012-08-08 14:50 jodie.cunningham New Issue
2012-08-08 14:50 jodie.cunningham File Added: nsswitch.conf
2012-08-08 19:09 JohnnyHughes Note Added: 0015610
2012-08-08 20:53 toracat Status new => confirmed
2012-08-09 13:52 JohnnyHughes Note Edited: 0015610 View Revisions
2012-08-10 06:54 strahinjak Note Added: 0015617
2012-08-13 12:16 neufeind Note Added: 0015631
2012-08-13 12:25 jodie.cunningham Note Added: 0015632
2012-08-13 15:08 tigalch Note Added: 0015634
2012-08-13 17:14 tigalch Note Added: 0015635
2012-08-13 17:15 neufeind Note Added: 0015636
2012-08-14 18:45 tigalch Note Added: 0015650
2012-08-14 18:45 tigalch Status confirmed => feedback
2012-08-14 18:45 tigalch Note Edited: 0015650 View Revisions
2012-08-15 10:56 range Relationship added has duplicate 0005896
2012-08-15 11:16 tigalch Note Added: 0015657
2012-08-15 11:16 tigalch Status feedback => resolved
2012-08-15 11:16 tigalch Fixed in Version => 5.8
2012-08-15 11:16 tigalch Resolution open => fixed
+Issue History