[sudo-workers] sudo doesn't add "dynamic groups"

Kristýna Streitová kstreitova at suse.com
Wed Apr 13 16:13:05 MDT 2016


We encountered the following issue in sudo. It seems that sudo doesn't 
add "dynamic groups" although pam_group module is configured properly.

I'm attaching a reproducer showing the same configuration for sudo and 
e.g. su-l services. However for su it works and the group is added but 
for sudo it doesn't.

How to reproduce:
1) add new user 'sudotest'

2) edit '/etc/security/group.conf' and add:

3) edit '/etc/pam.d/su-l' and '/etc/pam.d/sudo' and add the following 
rows at the start of the file:
    auth    required    pam_group.so

4) run
    # su -c id -l sudotest
    uid=1002(sudotest) gid=100(users) groups=100(users),40(games)

    # sudo -iu sudotest id
    uid=1002(sudotest) gid=100(users) groups=100(users)

According to our debugging attempts, it seems that the forked 
plugins/sudoers/auth/pam.c process adds the pam groups correctly but the 
original src/sudo.c process seems to overwrite these groups with the old 
values from details->groups (around the src/sudo.c:927 in sudo 1.8.10).

The issue was found in sudo 1.8.10, but it is also reproducible for the 
latest sudo 1.8.16 (openSUSE Tumbleweed) or e.g. older sudo 1.7.6p2.

Currently, I don't see any obvious fix but I'm not overly familiar with 
the code. Do you see any graceful way how to solve this issue, please?

Thank you.

Best regards,
Kristyna Streitova

More information about the sudo-workers mailing list