[sudo-users] sudo failing to recognize user's group membership

Shoemaker, Paul A. PASHOEMA at southernco.com
Thu Mar 22 15:03:31 EDT 2007

I'm running sudo 1.6.8p12 on an HP PA-RISC server running HP-UX 11.00.
The server uses both local and network user and group databases.

I recently had a problem where a user was not being allowed to execute
any commands via sudo on this host, despite having all the right entries
in sudoers and being a member of the appropriate groups.  The server
configuration is as follows:
*	nsswitch has both passwd and group configured to search the
local file first then a network source second.
*	passwd:  files vas
*	group:  files vas
*	the group in question is defined in both sources with identical
group name/GID but different member list (the local group definition
identifies a local user as a member, the network definition lists the
network users that are members).
*	/etc/group - groupa::9999:localuser
*	vas -groupa::9999:netuser1,netuser2, netuser3,...
*	the user is a network user.

It appeared that sudo was not recognizing that the network user is a
member of the group.  When I added the network user to the local
definition for the group, sudo finally allowed the user to execute

The HP-UX implementation of the group database limits the length of a
line in /etc/group but allows there to be multiple lines defining the
group so that all of the members can be listed.  Does sudo not take this
into account?  Does anybody have a good resolution for this problem
(besides adding the network users to the locally-defined group)?

Paul A. Shoemaker
8-257-3737:  Phone
8-257-3993:  FAX
8-381-4215:  LINC

Normal Office Hours:  0600-1500 CT

More information about the sudo-users mailing list