[sudo-users] sudo change is behavior between RHEL6.5 and RHEL 6.6

Todd C. Miller Todd.Miller at courtesan.com
Thu May 26 13:53:24 MDT 2016

On Thu, 26 May 2016 19:06:51 -0000, "SERIEYE, Yan" wrote:

> I'd like to refactor my implementation be "official sudo" compatible.
> That why I wanted to know what my options are :
> - transforming my users group into users netgroup
> - keep my non unix users group and find a way to make it work ( may be with
> group_plugin but i don't clearly understand how it work) ?
> - other idea ?

It should be possible to use your non-unix groups, how are they
managed?  Do they show up when you run the "id" command?

In /etc/sudo.conf, try adding the following line:

Debug sudo /var/log/sudo.debug sssd at debug,nss at debug,plugin at debug

That will log a log of sssd-specific info as well as the info sent
from the sudo front end to the sudoers plugin.  You should see
a line similar to:

May 17 07:40:39 sudo[36259] user_info: groups=20,0,5,9,13,62,67,97,117,544,662,1002,1004

which lists the group IDs sudo thinks the invoking user belongs to.

Sudo 1.8.7 and higher has a setting to control how the group list
is determined which may help.  The sudo.conf setting:

Set group_source dynamic

will cause sudo to determine the user's groups itself instead of
just using the group list from the kernel.  You should be able to
use the RedHat 6 packages for sudo 1.8.16 from
https://www.sudo.ws/download.html#binary if you want to try this

 - todd

More information about the sudo-users mailing list