[sudo-users] Run as multiple groups without password with sudo

Khalid khalidiste at gmail.com
Wed Apr 15 11:31:08 MDT 2015 

 There are two abnormal behaviours:

   - When using an uid that doesn't have an entry in passwd, the default
   gid is 0 even if the flag --preserve-groups is set. And the user may choose
   any other gid. By default, it should set to nogroup gid or to the same uid
   (failsafe?).
   - When using a uid that does have an entry in passwd, sudo still asks
   for the password even if NOPASSWD: is specified.


2015-04-15 18:29 GMT+01:00 Khalid <khalidiste at gmail.com>:

> Yes it shouldn't work, what i haven't gave you is the runas alias:
>
> Runas_Alias  JAILED_USERS     = #8800,#8801,#8802
>> ALL ALL = (JAILED_USERS) NOPASSWD: ALL
>>
>
> I gave directly uids of users that i consider jailed.
> These users doesn't have entry in the passwd. So by default, sudo gives
> them the gid 0, and authorize giving'em any other gid!
> But, this behaviour happens only when the user doesn't have an entry in
> passwd.
>
> I changed the sodoers config to the following and did some tests: (Note
> That #1000 does have an entry in passwd file)
>
>
> Runas_Alias  JAILED_USERS     = user2,#1000,#8802
>> ALL ALL = (JAILED_USERS) NOPASSWD: ALL
>>
>
> $ sudo -u  user2 id
> uid=1001(user2) gid=1001(user2)
> groups=1001(user2),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),108(lpadmin),110(sambashare)
>
> $ sudo -u user2 -g root id
> [sudo] password for bob:
>
>
> $ sudo -u "#1000" id
> [sudo] password for bob:
>
> $ sudo -u "#1000" -g root id
> [sudo] password for bob:
>
> $ sudo -u "#8801" id
> uid=8801 gid=0(root) groups=0(root)
>
> $ sudo -u "#8801" -g "#5555" id
> uid=8801 gid=5555 groups=5555
>
> $ sudo -u "#8801" --preserve-groups id
> uid=8801 gid=0(root) groups=1003(bob)
>
> 2015-04-15 16:03 GMT+01:00 Todd C. Miller <Todd.Miller at courtesan.com>:
>
>> On Wed, 15 Apr 2015 13:39:01 +0100, Khalid wrote:
>>
>> > $ sudo --version
>> > Sudo version 1.8.9p5
>> > Sudoers policy plugin version 1.8.9p5
>> > Sudoers file grammar version 43
>> > Sudoers I/O plugin version 1.8.9p5
>> >
>> > Yes, I specified in sudoers that i can run as JAILED_USERS without
>> > password, but this doesn't mean that i can run as group root without
>> > password:
>> >
>> > bob ALL=(JAILED_USERS) NOPASSWD: ALL
>>
>> I just tried again with 1.8.9p5 and I'm unable to reproduce that
>> behavior.
>>
>> Can you give me some more details such as what OS version you are
>> running and whether you are using a vendor-supplied sudo package
>> or the one from www.sudo.ws?  Also, the output of "sudo -l -U bob"
>> (or just "sudo -l" run by user bob) would be helpful.
>>
>>  - todd
>>
>
>

More information about the sudo-users mailing list