[sudo-users] Run as multiple groups without password with sudo

Khalid khalidiste at gmail.com
Wed Apr 15 11:29:11 MDT 2015 

Yes it shouldn't work, what i haven't gave you is the runas alias:

Runas_Alias  JAILED_USERS     = #8800,#8801,#8802
> ALL ALL = (JAILED_USERS) NOPASSWD: ALL
>

I gave directly uids of users that i consider jailed.
These users doesn't have entry in the passwd. So by default, sudo gives
them the gid 0, and authorize giving'em any other gid!
But, this behaviour happens only when the user doesn't have an entry in
passwd.

I changed the sodoers config to the following and did some tests: (Note
That #1000 does have an entry in passwd file)


Runas_Alias  JAILED_USERS     = user2,#1000,#8802
> ALL ALL = (JAILED_USERS) NOPASSWD: ALL
>

$ sudo -u  user2 id
uid=1001(user2) gid=1001(user2)
groups=1001(user2),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),110(sambashare)

$ sudo -u user2 -g root id
[sudo] password for bob:


$ sudo -u "#1000" id
[sudo] password for bob:

$ sudo -u "#1000" -g root id
[sudo] password for bob:

$ sudo -u "#8801" id
uid=8801 gid=0(root) groups=0(root)

$ sudo -u "#8801" -g "#5555" id
uid=8801 gid=5555 groups=5555

$ sudo -u "#8801" --preserve-groups id
uid=8801 gid=0(root) groups=1003(bob)

2015-04-15 16:03 GMT+01:00 Todd C. Miller <Todd.Miller at courtesan.com>:

> On Wed, 15 Apr 2015 13:39:01 +0100, Khalid wrote:
>
> > $ sudo --version
> > Sudo version 1.8.9p5
> > Sudoers policy plugin version 1.8.9p5
> > Sudoers file grammar version 43
> > Sudoers I/O plugin version 1.8.9p5
> >
> > Yes, I specified in sudoers that i can run as JAILED_USERS without
> > password, but this doesn't mean that i can run as group root without
> > password:
> >
> > bob ALL=(JAILED_USERS) NOPASSWD: ALL
>
> I just tried again with 1.8.9p5 and I'm unable to reproduce that
> behavior.
>
> Can you give me some more details such as what OS version you are
> running and whether you are using a vendor-supplied sudo package
> or the one from www.sudo.ws?  Also, the output of "sudo -l -U bob"
> (or just "sudo -l" run by user bob) would be helpful.
>
>  - todd
>

More information about the sudo-users mailing list