[sudo-workers] sudo doesn't add "dynamic groups"
Kristýna Streitová
kstreitova at suse.com
Wed Apr 13 16:13:05 MDT 2016
Hi,
We encountered the following issue in sudo. It seems that sudo doesn't
add "dynamic groups" although pam_group module is configured properly.
I'm attaching a reproducer showing the same configuration for sudo and
e.g. su-l services. However for su it works and the group is added but
for sudo it doesn't.
How to reproduce:
1) add new user 'sudotest'
2) edit '/etc/security/group.conf' and add:
sudo;*;sudotest;Al0000-2400;games
su-l;*;sudotest;Al0000-2400;games
3) edit '/etc/pam.d/su-l' and '/etc/pam.d/sudo' and add the following
rows at the start of the file:
auth required pam_group.so
4) run
# su -c id -l sudotest
uid=1002(sudotest) gid=100(users) groups=100(users),40(games)
# sudo -iu sudotest id
uid=1002(sudotest) gid=100(users) groups=100(users)
According to our debugging attempts, it seems that the forked
plugins/sudoers/auth/pam.c process adds the pam groups correctly but the
original src/sudo.c process seems to overwrite these groups with the old
values from details->groups (around the src/sudo.c:927 in sudo 1.8.10).
The issue was found in sudo 1.8.10, but it is also reproducible for the
latest sudo 1.8.16 (openSUSE Tumbleweed) or e.g. older sudo 1.7.6p2.
Currently, I don't see any obvious fix but I'm not overly familiar with
the code. Do you see any graceful way how to solve this issue, please?
Thank you.
Best regards,
Kristyna Streitova
More information about the sudo-workers
mailing list