[sudo-workers] Runas(_alias) group
Todd C. Miller
Todd.Miller at courtesan.com
Tue Oct 25 10:50:10 EDT 2011
On Tue, 25 Oct 2011 14:33:07 +0200, Daniel Kopecek wrote:
> It seems that there is a bug in the handling (matching) of groups in
> Runas & Runas_alias lists. There are several ways how to specify a runas
> group and some of them, although correctly parsed, are ignored in the
> matching phase. Here are some non-working examples, one of them is from
> the sudoers manpage:
>
> 1) Using %group syntax + an alias
> User_Alias OK_GROUP = %a
> Runas_Alias OK_RUNAS_GROUP = %b, %c
> OK_GROUP ALL = (OK_RUNAS_GROUP) ALL
>
> ...which can be stripped down to:
>
> %a ALL=(%b) ALL
>
> ...which also does not work.
That rule should mean that any user in group 'a' can run any command
as a user who is in group 'b'. This works as expected for me.
> 2) Using an alias
> Runas_Alias ADMINGRP = b, c
> %a ALL = (: ADMINGRP) /usr/bin/id
That is definitely a bug. Instead of:
rval = _runaslist_matches(&a->members, &empty);
it should be:
rval = _runaslist_matches(&empty, &a->members);
- todd
More information about the sudo-workers
mailing list