[sudo-users] use of sudo with -g option

Michael Potter michael at potter.name
Fri May 14 22:19:29 EDT 2010

On Fri, May 14, 2010 at 9:32 PM, Michael Potter <michael at potter.name> wrote:
> Sudo Crew,
> I am trying to understand how the -g option works.  Here are some of my tests:
> pottmi:~ pottmi$ id
> uid=501(pottmi) gid=501(pottmi)
> groups=501(pottmi),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),402(com.apple.access_screensharing)
> pottmi:~ pottmi$ sudo -u root -g everyone id
> Password:
> Sorry, user pottmi is not allowed to execute '/usr/bin/id' as
> root:everyone on pottmi.local.
> So, I add this rule:
> pottmi  ALL=(root:everyone) /usr/bin/id
> And try again:
> pottmi:~ pottmi$ sudo -u root -g everyone id
> uid=0(root) gid=0(wheel)
> groups=0(wheel),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),80(admin),61(localaccounts),29(certusers),20(staff),12(everyone),9(procmod),8(procview),5(operator),4(tty),3(sys),2(kmem),1(daemon),402(com.apple.access_screensharing)
> pottmi:~ pottmi$ sudo -V
> Sudo version 1.7.0
> So, here are my questions:
> 1) Where is it documented to specify a group in the runas user
> specification?  I did not find it anywhere in doc, I just guessed.
> 2) Why doesn't the id command report gid=12?    [12 is everyone's group id]

Regarding #2: I wrote a small C program to dump uid and gid.  The C
program outputs gid = 12.
That got me reading the id man page.  The net result of my research is
I have to run id like this:
pottmi:dumppriv pottmi$ sudo -u pottmi -g everyone id -gr

I am on a mac.

I would still like an answer on question #1.

More information about the sudo-users mailing list