[sudo-users] use of sudo with -g option
Michael Potter
michael at potter.name
Fri May 14 22:19:29 EDT 2010
On Fri, May 14, 2010 at 9:32 PM, Michael Potter <michael at potter.name> wrote:
> Sudo Crew,
>
> I am trying to understand how the -g option works. Here are some of my tests:
>
> pottmi:~ pottmi$ id
> uid=501(pottmi) gid=501(pottmi)
> groups=501(pottmi),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),81(_appserveradm),80(admin),79(_appserverusr),61(localaccounts),12(everyone),402(com.apple.access_screensharing)
> pottmi:~ pottmi$ sudo -u root -g everyone id
> Password:
> Sorry, user pottmi is not allowed to execute '/usr/bin/id' as
> root:everyone on pottmi.local.
>
>
> So, I add this rule:
> pottmi ALL=(root:everyone) /usr/bin/id
>
> And try again:
> pottmi:~ pottmi$ sudo -u root -g everyone id
> uid=0(root) gid=0(wheel)
> groups=0(wheel),101(com.apple.sharepoint.group.1),204(_developer),100(_lpoperator),98(_lpadmin),80(admin),61(localaccounts),29(certusers),20(staff),12(everyone),9(procmod),8(procview),5(operator),4(tty),3(sys),2(kmem),1(daemon),402(com.apple.access_screensharing)
>
> pottmi:~ pottmi$ sudo -V
> Sudo version 1.7.0
>
> So, here are my questions:
> 1) Where is it documented to specify a group in the runas user
> specification? I did not find it anywhere in doc, I just guessed.
>
> 2) Why doesn't the id command report gid=12? [12 is everyone's group id]
>
Regarding #2: I wrote a small C program to dump uid and gid. The C
program outputs gid = 12.
That got me reading the id man page. The net result of my research is
I have to run id like this:
pottmi:dumppriv pottmi$ sudo -u pottmi -g everyone id -gr
12
I am on a mac.
I would still like an answer on question #1.
More information about the sudo-users
mailing list