[sudo-users] chmod /usr/bin/sudo: Executable for a group only - but over setgid wrapper?
tja at tja-server.de
Wed Sep 26 12:55:11 EDT 2007
i am trying to do the following:
$ ls -al /usr/bin/sudo
---s--x--- 1 root sudogrp 97440 2005-06-23 13:35 /usr/bin/sudo*
That is, only members of the "sudogrp" should be able to run "sudo".
If the user in question is member of the group "sudogrp", everything
But when the user only *gets* the group-membership over a setgid-wrapper
- giving only the "EGID", not the "GID" of "sudogrp", it does NOT work:
my id is: uid=2725(swdist) gid=2725(swdist) egid=2750(sudogrp)
Then i just get a "permission denied"!
So, my question is, if there is a way to enable access to "sudo" even if
the user only has the EGID of the group allowed to execute it, but not
the "full" and regular GID of that group ...
The wrapper, containing a setgid, is needed for addional logging purpose .
Right now, members of the group "sudogrp" could execute "sudo" without
useing the wrapper - which i want to disallow.
More information about the sudo-users