[sudo-workers] sudoRunAsUser option not behaving properly

Todd C. Miller Todd.Miller at courtesan.com
Tue Nov 1 08:05:08 MDT 2016

On Tue, 01 Nov 2016 14:54:07 +0100, Lenka Doudova wrote:

> I was pointed to discussion regarding sudo RunAsUser/RunAsGroup problems 
> [1] and have a question about inproperly handled RunAsUsers as mentioned 
> in the discussion. I'm working on FreeIPA where I have: user testuser, 
> group testgroup, sudorule testrule with RunAsUser empty and 
> RunAsGroup=testgroup. When I want to see list of commands user testuser 
> can run, I get:

That looks correct to me.  If only RunAsGroup is set, the user
should be able to run commands as the group but with their own uid,
not root.

This is equivalent to the following sudoers file entry:

testuser	ALL = (:testgroup) NOPASSWD:ALL

This was a bug fix in 1.8.18 to make LDAP and SSSD consistent with
file-based sudoers.  It was an oversight when RunAsGroup was initially

 - todd

More information about the sudo-workers mailing list