[sudo-users] Run as multiple groups without password with sudo
Todd C. Miller
Todd.Miller at courtesan.com
Thu Apr 16 13:36:11 MDT 2015
On Wed, 15 Apr 2015 18:31:08 +0100, Khalid wrote:
> There are two abnormal behaviours:
>
> - When using an uid that doesn't have an entry in passwd, the default
> gid is 0 even if the flag --preserve-groups is set. And the user may
> choose any other gid. By default, it should set to nogroup gid or to
> the same uid (failsafe?).
I think it is safest to just keep the invoking user's gid in this
case. That way we are not elevating group privileges in any way.
> - When using a uid that does have an entry in passwd, sudo still asks
> for the password even if NOPASSWD: is specified.
I'm unable to reproduce that problem. I only get a passwd prompt
if I specify a group, which is expected since the rule with NOPASSWD
will no longer match. With the following commit:
http://www.sudo.ws/repos/sudo/rev/4154970432df
$ id
uid=8036(millert) gid=20(staff) groups=20(staff), 0(wheel), 5(operator)
$ sudo -l
User millert may run the following commands on xerxes:
(daemon, #1004, #8802) NOPASSWD: ALL
$ sudo -u daemon id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ sudo -u daemon -g wheel id
Password:
$ sudo -u #1004 id
uid=1004(testuser) gid=1004 groups=1004
$ sudo -u #1004 -g wheel id
Password:
$ sudo -u #8802 id
uid=8802 gid=20(staff) groups=20(staff)
$ sudo -u #8802 -g wheel id
Password:
$ sudo -u "#8802" --preserve-groups id
uid=8802 gid=20(staff) groups=20(staff), 0(wheel), 5(operator)
More information about the sudo-users
mailing list