[sudo-workers] sudo doesn't add "dynamic groups"
Todd C. Miller
Todd.Miller at courtesan.com
Mon Apr 25 10:02:33 MDT 2016
The Linux su(1) calls pam_setcred(3) after setting the groups but
before opening the session or changing the UID.
Sudo opens the session early (before it forks) to avoid issues with
certain PAM modules and sets the groups immediately before changing
the UID. It should be possible to change the groups earlier (before
pam_setcred) which ought to fix your issue.
- todd
More information about the sudo-workers
mailing list