[sudo-users] secondary groups not honoured

Todd C. Miller Todd.Miller at courtesan.com
Thu Oct 28 18:16:20 EDT 2004

In message <20041028214755.GA18183 at cirrus.madduck.net>
	so spake martin f krafft (madduck):

> Yes, LDAP is being used.
> Why does it work for the primary group? Is there any way to make it
> work for the secondary group too?

It works for the primary group because that is listed in the struct
passwd returned by getpwuid().  There are two ways to deal with the
secondary groups:

    1) call getgroups() to get the user's group vector from the kernel
       and use this list for checking against sudoers.

    2) look up groups listed in sudoers via getgrnam() and see if
       the user running sudo is listed as a member.

Sudo does #2 since not all OSes intialize the group vector (for
instance, HP-UX does not).  For your system it should work as
expected if you configure nsswitch.conf to look in LDAP before the
local file.

 - todd

More information about the sudo-users mailing list