[sudo-workers] Sudo takes a long time resolving user's GIDs
Todd C. Miller
Todd.Miller at courtesan.com
Tue Aug 30 11:18:25 MDT 2016
Sudo matches groups by name so if your sudoers file uses group-based
permissions sudo needs to resolve all the user's groups to be able
to do the matching. If there are no groups in sudoers sudo will
no longer resolve the group names.
There's a trade-off here. Either sudo resolves the user's group
IDs to names and does string based matching in sudoers or sudo
resolves all groups listed in sudoers and matches by group ID. The
former is faster when sudoers contains more groups than a typical
user is a member of, the latter is faster when the typical user is
a member of more groups than are listed in sudoers.
Sudo currently matches by group name which is often better for
larger sudoers file.
- todd
More information about the sudo-workers
mailing list