[sudo-workers] sudo doesn't add "dynamic groups"

Tue Apr 26 16:43:38 MDT 2016

Can you try the following diff?

 - todd

diff -r ef0a5428a574 src/sudo.c

--- a/src/sudo.c	Tue Apr 26 14:39:42 2016 -0600
+++ b/src/sudo.c	Tue Apr 26 16:43:15 2016 -0600
@@ -1018,30 +1018,6 @@
 #endif /* HAVE_LOGIN_CAP_H */
     }
 
-    /*
-     * Set groups, including supplementary group vector.
-     */
-    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
-	if (details->ngroups >= 0) {
-	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
-		sudo_warn(U_("unable to set supplementary group IDs"));
-		goto done;
-	    }
-	}
-    }
-#ifdef HAVE_SETEUID
-    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
-	sudo_warn(U_("unable to set effective gid to runas gid %u"),
-	    (unsigned int)details->egid);
-	goto done;
-    }
-#endif
-    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
-	sudo_warn(U_("unable to set gid to runas gid %u"),
-	    (unsigned int)details->gid);
-	goto done;
-    }
-
     if (ISSET(details->flags, CD_SET_PRIORITY)) {
 	if (setpriority(PRIO_PROCESS, 0, details->priority) != 0) {
 	    sudo_warn(U_("unable to set process priority"));
@@ -1365,6 +1341,35 @@
     int rval = true;
     debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
 
+    /*
+     * We set groups, including supplementary group vector,
+     * as part of the session setup.  This allows for dynamic
+     * groups to be set via pam_group(8) in pam_setcred(3).
+     */
+    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) {
+	if (details->ngroups >= 0) {
+	    if (sudo_setgroups(details->ngroups, details->groups) < 0) {
+		sudo_warn(U_("unable to set supplementary group IDs"));
+		rval = -1;
+		goto done;
+	    }
+	}
+    }
+#ifdef HAVE_SETEUID
+    if (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) {
+	sudo_warn(U_("unable to set effective gid to runas gid %u"),
+	    (unsigned int)details->egid);
+	rval = -1;
+	goto done;
+    }
+#endif
+    if (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) {
+	sudo_warn(U_("unable to set gid to runas gid %u"),
+	    (unsigned int)details->gid);
+	rval = -1;
+	goto done;
+    }
+
     if (policy_plugin.u.policy->init_session) {
 	/*
 	 * Backwards compatibility for older API versions
@@ -1381,6 +1386,7 @@
 	}
 	sudo_debug_set_active_instance(sudo_debug_instance);
     }
+done:
     debug_return_int(rval);
 }
 
