[sudo-workers] sudoRunAsUser option not behaving properly
Todd C. Miller
Todd.Miller at courtesan.com
Tue Nov 1 08:05:08 MDT 2016
On Tue, 01 Nov 2016 14:54:07 +0100, Lenka Doudova wrote:
> I was pointed to discussion regarding sudo RunAsUser/RunAsGroup problems
> [1] and have a question about inproperly handled RunAsUsers as mentioned
> in the discussion. I'm working on FreeIPA where I have: user testuser,
> group testgroup, sudorule testrule with RunAsUser empty and
> RunAsGroup=testgroup. When I want to see list of commands user testuser
> can run, I get:
That looks correct to me. If only RunAsGroup is set, the user
should be able to run commands as the group but with their own uid,
not root.
This is equivalent to the following sudoers file entry:
testuser ALL = (:testgroup) NOPASSWD:ALL
This was a bug fix in 1.8.18 to make LDAP and SSSD consistent with
file-based sudoers. It was an oversight when RunAsGroup was initially
added.
- todd
More information about the sudo-workers
mailing list