[sudo-users] Run as multiple groups without password with sudo
Khalid
khalidiste at gmail.com
Fri Apr 17 03:28:32 MDT 2015
Thank you
2015-04-16 20:36 GMT+01:00 Todd C. Miller <Todd.Miller at courtesan.com>:
> On Wed, 15 Apr 2015 18:31:08 +0100, Khalid wrote:
>
> > There are two abnormal behaviours:
> >
> > - When using an uid that doesn't have an entry in passwd, the default
> > gid is 0 even if the flag --preserve-groups is set. And the user may
> > choose any other gid. By default, it should set to nogroup gid or to
> > the same uid (failsafe?).
>
> I think it is safest to just keep the invoking user's gid in this
> case. That way we are not elevating group privileges in any way.
>
> > - When using a uid that does have an entry in passwd, sudo still asks
> > for the password even if NOPASSWD: is specified.
>
> I'm unable to reproduce that problem. I only get a passwd prompt
> if I specify a group, which is expected since the rule with NOPASSWD
> will no longer match. With the following commit:
>
> http://www.sudo.ws/repos/sudo/rev/4154970432df
>
> $ id
> uid=8036(millert) gid=20(staff) groups=20(staff), 0(wheel), 5(operator)
>
> $ sudo -l
> User millert may run the following commands on xerxes:
> (daemon, #1004, #8802) NOPASSWD: ALL
>
> $ sudo -u daemon id
> uid=1(daemon) gid=1(daemon) groups=1(daemon)
>
> $ sudo -u daemon -g wheel id
> Password:
>
> $ sudo -u #1004 id
> uid=1004(testuser) gid=1004 groups=1004
>
> $ sudo -u #1004 -g wheel id
> Password:
>
> $ sudo -u #8802 id
> uid=8802 gid=20(staff) groups=20(staff)
>
> $ sudo -u #8802 -g wheel id
> Password:
>
> $ sudo -u "#8802" --preserve-groups id
> uid=8802 gid=20(staff) groups=20(staff), 0(wheel), 5(operator)
>
More information about the sudo-users
mailing list