[sudo-users] Non-UNIX groups plugin
Todd C. Miller
Todd.Miller at courtesan.com
Tue Oct 20 16:03:25 MDT 2015
On Fri, 16 Oct 2015 10:54:51 +1100, Phil wrote:
> We're looking into producing a sudo_plugin for non-UNIX groups, but our
> initial tests show some unexpected calls to our plugin.
>
> With the following lines in sudoers:
>
> %unixgroup ALL=(ALL) ALL
> %:nonunixgroup ALL=(ALL) ALL
>
> We expected our plugin to only be called for the nonunixgroup, but we
> found it's also called for unixgroup. In fact it's called for all group
> ('%') entries.
>
> Is this the expected behavior?
It is expected but probably not desirable. This was never properly
documented and the behavior really should be to only look up %:foo
style groups with the group plugin unless configured to do otherwise.
I'll probably change this for 1.8.15 and add an option to get the
old behavior back for those that need it.
- todd
More information about the sudo-users
mailing list