[sudo-workers] sudo doesn't add "dynamic groups"
Kristýna Streitová
kstreitova at suse.com
Thu Apr 28 07:09:20 MDT 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
I've tried your patch and it works like a charm. Thank you for it!
Will it be included in the next version of sudo?
Kristyna
Dne 27.4.2016 v 00:43 Todd C. Miller napsal(a):
> Can you try the following diff?
>
> - todd
>
> diff -r ef0a5428a574 src/sudo.c --- a/src/sudo.c Tue Apr 26
> 14:39:42 2016 -0600 +++ b/src/sudo.c Tue Apr 26 16:43:15 2016
> -0600 @@ -1018,30 +1018,6 @@ #endif /* HAVE_LOGIN_CAP_H */ }
>
> - /* - * Set groups, including supplementary group vector. -
> */ - if (!ISSET(details->flags, CD_PRESERVE_GROUPS)) { - if
> (details->ngroups >= 0) { - if
> (sudo_setgroups(details->ngroups, details->groups) < 0) { -
> sudo_warn(U_("unable to set supplementary group IDs")); - goto
> done; - } - } - } -#ifdef HAVE_SETEUID - if
> (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { -
> sudo_warn(U_("unable to set effective gid to runas gid %u"), -
> (unsigned int)details->egid); - goto done; - } -#endif - if
> (ISSET(details->flags, CD_SET_GID) && setgid(details->gid)) { -
> sudo_warn(U_("unable to set gid to runas gid %u"), - (unsigned
> int)details->gid); - goto done; - } - if (ISSET(details->flags,
> CD_SET_PRIORITY)) { if (setpriority(PRIO_PROCESS, 0,
> details->priority) != 0) { sudo_warn(U_("unable to set process
> priority")); @@ -1365,6 +1341,35 @@ int rval = true;
> debug_decl(policy_init_session, SUDO_DEBUG_PCOMM)
>
> + /* + * We set groups, including supplementary group
> vector, + * as part of the session setup. This allows for
> dynamic + * groups to be set via pam_group(8) in
> pam_setcred(3). + */ + if (!ISSET(details->flags,
> CD_PRESERVE_GROUPS)) { + if (details->ngroups >= 0) { + if
> (sudo_setgroups(details->ngroups, details->groups) < 0) { +
> sudo_warn(U_("unable to set supplementary group IDs")); + rval =
> -1; + goto done; + } + } + } +#ifdef HAVE_SETEUID + if
> (ISSET(details->flags, CD_SET_EGID) && setegid(details->egid)) { +
> sudo_warn(U_("unable to set effective gid to runas gid %u"), +
> (unsigned int)details->egid); + rval = -1; + goto done; + }
> +#endif + if (ISSET(details->flags, CD_SET_GID) &&
> setgid(details->gid)) { + sudo_warn(U_("unable to set gid to runas
> gid %u"), + (unsigned int)details->gid); + rval = -1; + goto
> done; + } + if (policy_plugin.u.policy->init_session) { /* *
> Backwards compatibility for older API versions @@ -1381,6 +1386,7
> @@ } sudo_debug_set_active_instance(sudo_debug_instance); } +done:
> debug_return_int(rval); }
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBAgAGBQJXIguAAAoJEPox3pw+dmQGJqwP/iSlzV/gCYFTOBtACsQTxOpV
+cxGZZduutLQnrzYNpE335sBkGC5fV+xaa8sq809APxhkiydxJUbATnhfC8wCL3P
+c/lOuOiApVHNqY1iKBDuYSEdciD/y6OhyT0ctpEoH9NH23Zwv5ReIV7WM8LfCEG
pzWAVDf8I7FD0yRBpqDqVCMJ52WllO2YnmtMy9NXY+oRHEOvLyh+MQthOThnrxgA
4Hp1UI3FRDOYQNO+zqYkD4qnPClnihMz+6fXniMV45ZVsqGx8kvHI9i9T7fSVNXK
fXd65yAMhiL/2YA+ZKBtSYHVRkHE8C0BJK6oHxW1DxhAuO3sX98C+XXHqv3767O9
MKKtDzCD/HhIJslbA+MNOaubYIQg3ZgROTyDNpNmJJOslkqQsA79c2ogr/Ieuv5N
RCuHsvz5mY1XlBna7FIsOAVPuf1lgPHAN5+wjww+dD8Mvws3wWBQW/G8CRKyGl64
7Fy4XFTgJD7EsjIf1F+xyQHGKXDZDaC2IGRAXog2ycPQL8hjqqzLBrN/WCrNTj+T
3atW9H/vBxkgNsvQRFohILO7Opn7Zpc/xQIYEP4aAdVJ9ZmUixDKDocxgxL0au8y
uKfr68OU/BCqoonNKt7LFC9JTCYkoJ/hU6CaQCpkBYebk2LuTx3pSgUII7zCheJr
LIrQmdUMyr1oPE+CZavh
=YWAT
-----END PGP SIGNATURE-----
More information about the sudo-workers
mailing list