[sudo-workers] sudo doesn't add "dynamic groups"
kstreitova at suse.com
Wed Apr 13 16:13:05 MDT 2016
We encountered the following issue in sudo. It seems that sudo doesn't
add "dynamic groups" although pam_group module is configured properly.
I'm attaching a reproducer showing the same configuration for sudo and
e.g. su-l services. However for su it works and the group is added but
for sudo it doesn't.
How to reproduce:
1) add new user 'sudotest'
2) edit '/etc/security/group.conf' and add:
3) edit '/etc/pam.d/su-l' and '/etc/pam.d/sudo' and add the following
rows at the start of the file:
auth required pam_group.so
# su -c id -l sudotest
uid=1002(sudotest) gid=100(users) groups=100(users),40(games)
# sudo -iu sudotest id
uid=1002(sudotest) gid=100(users) groups=100(users)
According to our debugging attempts, it seems that the forked
plugins/sudoers/auth/pam.c process adds the pam groups correctly but the
original src/sudo.c process seems to overwrite these groups with the old
values from details->groups (around the src/sudo.c:927 in sudo 1.8.10).
The issue was found in sudo 1.8.10, but it is also reproducible for the
latest sudo 1.8.16 (openSUSE Tumbleweed) or e.g. older sudo 1.7.6p2.
Currently, I don't see any obvious fix but I'm not overly familiar with
the code. Do you see any graceful way how to solve this issue, please?
More information about the sudo-workers