[sudo-workers] sudo doesn't add "dynamic groups"

Todd C. Miller Todd.Miller at courtesan.com
Mon Apr 25 10:02:33 MDT 2016


The Linux su(1) calls pam_setcred(3) after setting the groups but
before opening the session or changing the UID.

Sudo opens the session early (before it forks) to avoid issues with
certain PAM modules and sets the groups immediately before changing
the UID.  It should be possible to change the groups earlier (before
pam_setcred) which ought to fix your issue.

 - todd


More information about the sudo-workers mailing list