[sudo-users] I will not buy this record, it is scratched

Mihai Moldovan ionic at ionic.de
Mon Nov 27 22:30:27 MST 2017

* On 11/27/2017 04:34 PM, Todd C. Miller wrote:
> I think it is fair to consider this a bug.  Since sudo switches
> uids and groups around while searching for commands it caches the
> source and target user's group vector so it doesn't need to be
> looked up multiple times.

That sounds reasonable to avoid useless work (especially in more complicated
setups with network-based groups with a lot of users and groups).

> In this case, where the source and target user are the same, sudo
> will use the same group vector it started with.  It should probably
> always look up the target group vector since we want to run the
> command with the groups specified by the group database.

Yes, I would certainly recommend this.
Same-user context are probably special, in the sense that the group vector *can*
be cached - while that's usually not possible for different-user contexts. I
would expect this bug doesn't show up in such a case, since sudo needs to query
either the kernel or higher-level systems to get the target-user groups, either
after authorization successful checks, or before command execution, anyway,
since that information cannot be reasonably cached. This would require using a
system daemon or caching files on-disk. Neither would be a smart idea for sudo
in the first place.

> In sudo 1.8.7 and above you can work around this by adding the
> following line to /etc/sudo.conf (creating the file if it doesn't
> already exist):
> Set group_source dynamic
> That will cause sudo to ignore the existing group vector (the one
> returned by getgroups(2)) and always query the group database
> directly.

Indeed, that works great for my use case! The groups vector is correctly
re-initialized. I must have missed this option while searching around. Then
again, this is a very unusual use case in the first place...

Thanks a bunch.

If possible, please keep this in mind for a future version!


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 898 bytes
Desc: OpenPGP digital signature
URL: <https://www.sudo.ws/pipermail/sudo-users/attachments/20171128/1a4945e8/attachment.bin>

More information about the sudo-users mailing list