[sudo-workers] Sudo 1.8.6p3 on an AD domain: excessive group data requests

Alexander Lopez alopez31 at csc.com
Fri Jan 18 12:09:26 EST 2013

 Solaris 10
 AD domain interface via Likewise (BeyondTrust Software Inc)
 nsswitch.conf has:     group:  files lsass

 Sudo 1.8.6p3 with system_group.so plugin (all compiled from src -
 the plugin isn't suppled with the binary release)
 /etc/sudoers has a group entry:  %AD_groupname  ....
 The user is an AD user in the AD_groupname group

Sudo permission checking causes large amount of group data to be
sent from the AD server.  The AD server sends the name of every
group it has.  There are a lot of groups.
The code has set_perms() called from several places.  The routine
calls getgrouplist() which uses the system routine getgrent() to
get successive group names.
This causes a long delay before sudo finally gets around to using
the system_group plugin to validate the group and the command
argument is run.  (The man page for getgrent() says its use is
discouraged as it is inefficient and not supported by all DB sources.)

To stop this I set getgrouplist() to just immediately return, as
it wasn't adding anything to the list of groups already made before
set_perms() is called.
The sudo code should have a build flag or some other mechanism to
disable the massive data requests.   Perhaps those of you who have
worked on the code would have some comment or a better idea.

Alex Lopez 
System Engineer

More information about the sudo-workers mailing list