[sudo-users] sudo failing to recognize user's group membership
Shoemaker, Paul A.
PASHOEMA at southernco.com
Thu Mar 22 15:03:31 EDT 2007
I'm running sudo 1.6.8p12 on an HP PA-RISC server running HP-UX 11.00.
The server uses both local and network user and group databases.
I recently had a problem where a user was not being allowed to execute
any commands via sudo on this host, despite having all the right entries
in sudoers and being a member of the appropriate groups. The server
configuration is as follows:
* nsswitch has both passwd and group configured to search the
local file first then a network source second.
* passwd: files vas
* group: files vas
* the group in question is defined in both sources with identical
group name/GID but different member list (the local group definition
identifies a local user as a member, the network definition lists the
network users that are members).
* /etc/group - groupa::9999:localuser
* vas -groupa::9999:netuser1,netuser2, netuser3,...
* the user is a network user.
It appeared that sudo was not recognizing that the network user is a
member of the group. When I added the network user to the local
definition for the group, sudo finally allowed the user to execute
The HP-UX implementation of the group database limits the length of a
line in /etc/group but allows there to be multiple lines defining the
group so that all of the members can be listed. Does sudo not take this
into account? Does anybody have a good resolution for this problem
(besides adding the network users to the locally-defined group)?
Paul A. Shoemaker
Normal Office Hours: 0600-1500 CT
More information about the sudo-users