| View Issue Details [ Jump to Notes ] | [ Issue History ] [ Print ] | ||||||||
| ID | Project | Category | View Status | Date Submitted | Last Update | ||||
|---|---|---|---|---|---|---|---|---|---|
| 0005883 | CentOS-5 | sudo | public | 2012-08-08 14:50 | 2012-08-15 11:16 | ||||
| Reporter | jodie.cunningham | ||||||||
| Priority | normal | Severity | major | Reproducibility | always | ||||
| Status | resolved | Resolution | fixed | ||||||
| Platform | OS | OS Version | 5.8 | ||||||
| Product Version | 5.8 | ||||||||
| Target Version | Fixed in Version | 5.8 | |||||||
| Summary | 0005883: Post-install script for sudo sets /etc/nsswitch.conf to mode 600 | ||||||||
| Description | Under certain circumstances, the use of mktemp in the post-install script for sudo creates an 0600 root:root file in /tmp/ and then moves it to /etc/nsswitch.conf This is unreadable by the users and breaks any hostnames in /etc/hosts , as well as any custom nsswitch dependencies like NIS before DNS. Permissions on /etc/nsswitch.conf should be 0644 This only occurs in nsswitch.conf files with an existing "sudoers:" line. If there is no "sudoers:" line, the resulting permissions are 0644. | ||||||||
| Steps To Reproduce | Run the post-install script from sudo-1.7.2p1-14.el5_8.2 against the attached nsswitch.conf postinstall: if grep -q '^sudoers: files ldap$' "/etc/nsswitch.conf"; then NSSWITCH_TMPFILE=$(mktemp) grep -v '^sudoers: files ldap$' "/etc/nsswitch.conf" > "$NSSWITCH_TMPFILE" && \ mv -f "$NSSWITCH_TMPFILE" "/etc/nsswitch.conf" restorecon "/etc/nsswitch.conf" fi if ! grep -q '^[[:space:]]*sudoers:' "/etc/nsswitch.conf"; then # No "sudoers:" line in nsswitch.conf, add a default one echo "sudoers: files ldap" >> "/etc/nsswitch.conf" restorecon "/etc/nsswitch.conf" fi | ||||||||
| Tags | No tags attached. | ||||||||
| Attached Files |
| ||||||||
 Relationships |
||||||
|
||||||
 Relationships |
| Notes |
|
|
JohnnyHughes (administrator) 2012-08-08 19:09 Last edited: 2012-08-09 13:52 |
This has been submitted upstream: http://bugzilla.redhat.com/show_bug.cgi?id=844420 Also addressed in the following: http://bugzilla.redhat.com/show_bug.cgi?id=846631 http://bugzilla.redhat.com/show_bug.cgi?id=846764 |
|
strahinjak (reporter) 2012-08-10 06:54 |
I can confirm this bug just happened to me. After the update nsswitch.conf had 600 permissions. This bug should have a critical priority, since this can break any service that is ran by a non-root user and it needs to resolve host names. I had a problem with PostgreSQL, since it couldn't resolve "localhost" and it didn't want to start. |
|
neufeind (reporter) 2012-08-13 12:16 |
In 844420 at RedHat they claim to have it Fixed In Version: sudo-1.7.2p1-14.el5_8.1 However this CentOS-bug says it's reproducible in sudo-1.7.2p1-14.el5_8.2. So is there a fix already? Is it available in CentOS? |
|
jodie.cunningham (reporter) 2012-08-13 12:25 |
neufeind, the relevant RH bug is 846631. |
|
tigalch (manager) 2012-08-13 15:08 |
upstream released sudo-1.7.2p1-14.el5_8.3. According to the RHBA this specific issue should be fixed (http://rhn.redhat.com/errata/RHBA-2012-1160.html) |
|
tigalch (manager) 2012-08-13 17:14 |
Update released: http://lists.centos.org/pipermail/centos-announce/2012-August/018796.html |
|
neufeind (reporter) 2012-08-13 17:15 |
Thanks. And I just discovered that CentOS meanwhile also ships that version 8.3. Permissions are still correct after upgrading to that version. Changelog says: * Fri Aug 10 2012 Daniel Kopecek <dkopecek@redhat.com> - 1.7.2p1-14.3 - don't use a temporary file when modifying nsswitch.conf - fix permissions on nsswitch.conf, if needed So I guess this ticket can be declared fixed. |
|
tigalch (manager) 2012-08-14 18:45 Last edited: 2012-08-14 18:45 |
Any further feedback on this issue - it appears to be fixed? |
|
tigalch (manager) 2012-08-15 11:16 |
Fixed as per reporterss feedback with this errata http://lists.centos.org/pipermail/centos-announce/2012-August/018796.html |
| Notes |
| Issue History |
|||
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-08-08 14:50 | jodie.cunningham | New Issue | |
| 2012-08-08 14:50 | jodie.cunningham | File Added: nsswitch.conf | |
| 2012-08-08 19:09 | JohnnyHughes | Note Added: 0015610 | |
| 2012-08-08 20:53 | toracat | Status | new => confirmed |
| 2012-08-09 13:52 | JohnnyHughes | Note Edited: 0015610 | View Revisions |
| 2012-08-10 06:54 | strahinjak | Note Added: 0015617 | |
| 2012-08-13 12:16 | neufeind | Note Added: 0015631 | |
| 2012-08-13 12:25 | jodie.cunningham | Note Added: 0015632 | |
| 2012-08-13 15:08 | tigalch | Note Added: 0015634 | |
| 2012-08-13 17:14 | tigalch | Note Added: 0015635 | |
| 2012-08-13 17:15 | neufeind | Note Added: 0015636 | |
| 2012-08-14 18:45 | tigalch | Note Added: 0015650 | |
| 2012-08-14 18:45 | tigalch | Status | confirmed => feedback |
| 2012-08-14 18:45 | tigalch | Note Edited: 0015650 | View Revisions |
| 2012-08-15 10:56 | range | Relationship added | has duplicate 0005896 |
| 2012-08-15 11:16 | tigalch | Note Added: 0015657 | |
| 2012-08-15 11:16 | tigalch | Status | feedback => resolved |
| 2012-08-15 11:16 | tigalch | Fixed in Version | => 5.8 |
| 2012-08-15 11:16 | tigalch | Resolution | open => fixed |
| Issue History |
