[sudo-workers] sudo doesn't add "dynamic groups"

Kristýna Streitová kstreitova at suse.com
Thu Apr 28 07:09:20 MDT 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

I've tried your patch and it works like a charm. Thank you for it!

Will it be included in the next version of sudo?


Kristyna


Dne 27.4.2016 v 00:43 Todd C. Miller napsal(a):
> Can you try the following diff?
> 
> - todd
> 
> diff -r ef0a5428a574 src/sudo.c --- a/src/sudo.c	Tue Apr 26
> 14:39:42 2016 -0600 +++ b/src/sudo.c	Tue Apr 26 16:43:15 2016
> -0600 @@ -1018,30 +1018,6 @@ #endif /* HAVE_LOGIN_CAP_H */ }
> 
> -    /* -     * Set groups, including supplementary group vector. -
> */ -    if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) { -	if
> (details->ngroups >= 0) { -	    if
> (sudo_setgroups(details->ngroups, details->groups) < 0) { -
> sudo_warn(U_("unable to set supplementary group IDs")); -		goto
> done; -	    } -	} -    } -#ifdef HAVE_SETEUID -    if
> (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { -
> sudo_warn(U_("unable to set effective gid to runas gid %u"), -
> (unsigned int)details->egid); -	goto done; -    } -#endif -    if
> (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) { -
> sudo_warn(U_("unable to set gid to runas gid %u"), -	    (unsigned
> int)details->gid); -	goto done; -    } - if (ISSET(details->flags,
> CD_SET_PRIORITY)) { if (setpriority(PRIO_PROCESS, 0,
> details->priority) != 0) { sudo_warn(U_("unable to set process
> priority")); @@ -1365,6 +1341,35 @@ int rval = true; 
> debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
> 
> +    /* +     * We set groups, including supplementary group
> vector, +     * as part of the session setup.  This allows for
> dynamic +     * groups to be set via pam_group(8) in
> pam_setcred(3). +     */ +    if (!ISSET(details->flags,
> CD_PRESERVE_GROUPS)) { +	if (details->ngroups >= 0) { +	    if
> (sudo_setgroups(details->ngroups, details->groups) < 0) { +
> sudo_warn(U_("unable to set supplementary group IDs")); +		rval =
> -1; +		goto done; +	    } +	} +    } +#ifdef HAVE_SETEUID +    if
> (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { +
> sudo_warn(U_("unable to set effective gid to runas gid %u"), +
> (unsigned int)details->egid); +	rval = -1; +	goto done; +    } 
> +#endif +    if (ISSET(details->flags, CD_SET_GID) &&
> setgid(details->gid)) { +	sudo_warn(U_("unable to set gid to runas
> gid %u"), +	    (unsigned int)details->gid); +	rval = -1; +	goto
> done; +    } + if (policy_plugin.u.policy->init_session) { /* *
> Backwards compatibility for older API versions @@ -1381,6 +1386,7
> @@ } sudo_debug_set_active_instance(sudo_debug_instance); } +done: 
> debug_return_int(rval); }
> 
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBAgAGBQJXIguAAAoJEPox3pw+dmQGJqwP/iSlzV/gCYFTOBtACsQTxOpV
+cxGZZduutLQnrzYNpE335sBkGC5fV+xaa8sq809APxhkiydxJUbATnhfC8wCL3P
+c/lOuOiApVHNqY1iKBDuYSEdciD/y6OhyT0ctpEoH9NH23Zwv5ReIV7WM8LfCEG
pzWAVDf8I7FD0yRBpqDqVCMJ52WllO2YnmtMy9NXY+oRHEOvLyh+MQthOThnrxgA
4Hp1UI3FRDOYQNO+zqYkD4qnPClnihMz+6fXniMV45ZVsqGx8kvHI9i9T7fSVNXK
fXd65yAMhiL/2YA+ZKBtSYHVRkHE8C0BJK6oHxW1DxhAuO3sX98C+XXHqv3767O9
MKKtDzCD/HhIJslbA+MNOaubYIQg3ZgROTyDNpNmJJOslkqQsA79c2ogr/Ieuv5N
RCuHsvz5mY1XlBna7FIsOAVPuf1lgPHAN5+wjww+dD8Mvws3wWBQW/G8CRKyGl64
7Fy4XFTgJD7EsjIf1F+xyQHGKXDZDaC2IGRAXog2ycPQL8hjqqzLBrN/WCrNTj+T
3atW9H/vBxkgNsvQRFohILO7Opn7Zpc/xQIYEP4aAdVJ9ZmUixDKDocxgxL0au8y
uKfr68OU/BCqoonNKt7LFC9JTCYkoJ/hU6CaQCpkBYebk2LuTx3pSgUII7zCheJr
LIrQmdUMyr1oPE+CZavh
=YWAT
-----END PGP SIGNATURE-----


More information about the sudo-workers mailing list