[sudo-users] Run as multiple groups without password with sudo

Todd C. Miller Todd.Miller at courtesan.com
Thu Apr 16 13:36:11 MDT 2015

On Wed, 15 Apr 2015 18:31:08 +0100, Khalid wrote:

>  There are two abnormal behaviours:
>    - When using an uid that doesn't have an entry in passwd, the default
>    gid is 0 even if the flag --preserve-groups is set. And the user may
>    choose any other gid. By default, it should set to nogroup gid or to
>    the same uid (failsafe?).

I think it is safest to just keep the invoking user's gid in this
case.  That way we are not elevating group privileges in any way.

>    - When using a uid that does have an entry in passwd, sudo still asks
>    for the password even if NOPASSWD: is specified.

I'm unable to reproduce that problem.  I only get a passwd prompt
if I specify a group, which is expected since the rule with NOPASSWD
will no longer match.  With the following commit:


$ id
uid=8036(millert) gid=20(staff) groups=20(staff), 0(wheel), 5(operator)

$ sudo -l
User millert may run the following commands on xerxes:
    (daemon, #1004, #8802) NOPASSWD: ALL

$ sudo -u daemon id
uid=1(daemon) gid=1(daemon) groups=1(daemon)

$ sudo -u daemon -g wheel id

$ sudo -u #1004 id
uid=1004(testuser) gid=1004 groups=1004

$ sudo -u #1004 -g wheel id

$ sudo -u #8802 id
uid=8802 gid=20(staff) groups=20(staff)

$ sudo -u #8802 -g wheel id

$ sudo -u "#8802" --preserve-groups id
uid=8802 gid=20(staff) groups=20(staff), 0(wheel), 5(operator)

More information about the sudo-users mailing list