[sudo-users] chmod /usr/bin/sudo: Executable for a group only - but over setgid wrapper?

Thomas.Ackermann.fa.anykey at eon-ruhrgas.com Thomas.Ackermann.fa.anykey at eon-ruhrgas.com
Fri Oct 12 01:51:07 EDT 2007

i am trying to do the following: Using sudo over a wrapper, which restricts access to members of a certain group, gving membership to that group via setgid-Bit.
I try it like the following:

$ ls -al /usr/bin/sudo 
---s--x---  1 root sudogrp 97440 2005-06-23 13:35 /usr/bin/sudo* 

That is, only members of the "sudogrp" should be able to run "sudo". 

If the user in question is member of the group "sudogrp", everything works fine: 

$ id 
uid=2725(swdist) gid=2725(swdist) groups=14(uucp),16(dialout),17(audio),33(video),2725(swdist),2750(sudogrp) 

The wrapper looks like this:
------sr-x  1 root sudogrp 23540 2007-09-23 16:38 /usr/local/bin/sudowrapper* 

That is, it *gives* any user the effective GID of "sudogrp" and can provide logging and access restrictions.

But when the user only *gets* the group-membership over a setgid-wrapper - giving only the "EGID", not the "GID" of "sudogrp", it does NOT work: 

my id is: uid=2725(swdist) gid=2725(swdist) egid=2750(sudogrp) groups=14(uucp),16(dialout),17(audio),33(video),2725(swdist) 

Then i just get a "permission denied"! 
It seems, under Linux, sudo cannot be used over such a wrapper.

So, my question is, if there is a way to enable access to "sudo" even if the user only has the EGID of the group allowed to execute it, but not the "full" and regular GID of that group ... 

The wrapper, containing a setgid, is needed for addional logging purpose . 
Right now, members of the group "sudogrp" could execute "sudo" without useing the wrapper - which i want to disallow. 

Any idea? 

More information about the sudo-users mailing list