[sudo-users] chmod /usr/bin/sudo: Executable for a group only - but over setgid wrapper?

Thomas Ackermann tja at tja-server.de
Wed Sep 26 12:55:11 EDT 2007

i am trying to do the following:

$ ls -al /usr/bin/sudo
---s--x---  1 root sudogrp 97440 2005-06-23 13:35 /usr/bin/sudo*

That is, only members of the "sudogrp" should be able to run "sudo".

If the user in question is member of the group "sudogrp", everything 
works fine:

$ id
uid=2725(swdist) gid=2725(swdist) 

But when the user only *gets* the group-membership over a setgid-wrapper 
- giving only the "EGID", not the "GID" of "sudogrp", it does NOT work:

my id is: uid=2725(swdist) gid=2725(swdist) egid=2750(sudogrp) 

Then i just get a "permission denied"!

So, my question is, if there is a way to enable access to "sudo" even if 
the user only has the EGID of the group allowed to execute it, but not 
the "full" and regular GID of that group ...

The wrapper, containing a setgid, is needed for addional logging purpose .
Right now, members of the group "sudogrp" could execute "sudo" without 
useing the wrapper - which i want to disallow.

Any idea?

More information about the sudo-users mailing list