[sudo-users] sudo v1.7.1 runas group allows runas any user

Blazejewski Marcin-AMB107 marcin.blazejewski at motorola.com
Fri May 8 11:09:44 EDT 2009

Hi all,
I've been playing with runas group functionality, new in 1.7 versions of
If I understood the manual correctly, if I put something like this in my
sudoers file:
amb107 ALL=(:ftp) NOPASSWD:/usr/bin/id

... then I should only be allowed to run "id" command as ftp group, but
only as the same amb107 user. From sudoers man:

If the first Runas_List is empty but the second is specified, the
command may be run as the invoking user with the group set to any listed
in the Runas_List.

However, I was able to run the command as any other user, inluding root:
[amb107 at rhel ~]$ sudo -g ftp id
uid=0(root) gid=50(ftp) groups=13(news),100(users)
[amb107 at rhel ~]$ sudo -u root -g ftp id
uid=0(root) gid=50(ftp)

This works only if I kept -g ftp switch:
[amb107 at rhel ~]$ sudo -u root id
Sorry, user amb107 is not allowed to execute '/usr/bin/id' as root on

Is this a bug or am I missing something? How can I restrict uid
I'm using RHEL5, i686, sudo v1.7.1, only "--prefix+ option used duing
the build.

Thanks in advance,

More information about the sudo-users mailing list