[sudo-workers] Runas(_alias) group
Daniel Kopecek
dkopecek at redhat.com
Tue Oct 25 08:33:07 EDT 2011
Hello,
it seems that there is a bug in the handling (matching) of groups in
Runas & Runas_alias lists. There are several ways how to specify a runas
group and some of them, although correctly parsed, are ignored in the
matching phase. Here are some non-working examples, one of them is from
the sudoers manpage:
1) Using %group syntax + an alias
User_Alias OK_GROUP = %a
Runas_Alias OK_RUNAS_GROUP = %b, %c
OK_GROUP ALL = (OK_RUNAS_GROUP) ALL
...which can be stripped down to:
%a ALL=(%b) ALL
...which also does not work.
2) Using an alias
Runas_Alias ADMINGRP = b, c
%a ALL = (: ADMINGRP) /usr/bin/id
The problem with 1) is that when you use %group, then the parsed group
is appended to the user_list and not to the group_list (these two are
passed to the _runaslist_matches function in match.c) and the USERGROUP
entries are not compared with runas_gr.
And the problem with 2) seems to be also a wrong interpretation of the
contents of the alias (always passed as user_list ...).
I've prepared a preliminary patch for both issues. However, it needs
review and maybe the solution for the first problem (%group) should be
made in gram.y/c (i.e. append the entries to group_list), not in the
matching code.
Dan K.
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: sudo-1.8.3-usergroup.patch
URL: </pipermail/sudo-workers/attachments/20111025/6b2f961e/attachment.ksh>
More information about the sudo-workers
mailing list