[sudo-users] sudo v1.7.1 runas group allows runas any user

Sat May 9 20:57:49 EDT 2009

In message <EAAB8BFF1D052A44830B467F3E9FB6B70799FB4B at zuk35exm64.ds.mot.com>
	so spake "Blazejewski Marcin-AMB107" (marcin.blazejewski):

> Is this a bug or am I missing something? How can I restrict uid
> escalation?
> I'm using RHEL5, i686, sudo v1.7.1, only "--prefix+ option used duing
> the build.

This is a bug that was introduced in sudo 1.7.1.  The following diff
fixes it.

 - todd

Index: sudo.c
===================================================================
RCS file: /home/cvs/courtesan/sudo/sudo.c,v
retrieving revision 1.511
diff -u -r1.511 sudo.c

--- sudo.c	18 Apr 2009 23:25:08 -0000	1.511
+++ sudo.c	10 May 2009 00:56:44 -0000
@@ -826,7 +826,7 @@
     if (!update_defaults(SETDEF_CMND))
 	log_error(NO_STDERR|NO_EXIT, "problem with defaults entries");
 
-    if (!runas_user)
+    if (!runas_user && !runas_group)
 	set_runaspw(def_runas_default);	/* may have been updated above */
 
     return(rval);

