[sudo-users] I will not buy this record, it is scratched

Todd C. Miller Todd.Miller at sudo.ws
Mon Nov 27 08:34:38 MST 2017

I think it is fair to consider this a bug.  Since sudo switches
uids and groups around while searching for commands it caches the
source and target user's group vector so it doesn't need to be
looked up multiple times.

In this case, where the source and target user are the same, sudo
will use the same group vector it started with.  It should probably
always look up the target group vector since we want to run the
command with the groups specified by the group database.

In sudo 1.8.7 and above you can work around this by adding the
following line to /etc/sudo.conf (creating the file if it doesn't
already exist):

Set group_source dynamic

That will cause sudo to ignore the existing group vector (the one
returned by getgroups(2)) and always query the group database

 - todd

More information about the sudo-users mailing list