[sudo-workers] sudoRunAsUser option not behaving properly

Lenka Doudova ldoudova at redhat.com
Tue Nov 1 08:16:54 MDT 2016


thanks very much, I will fix our tests accordingly.


On 11/01/2016 03:05 PM, Todd C. Miller wrote:
> On Tue, 01 Nov 2016 14:54:07 +0100, Lenka Doudova wrote:
>> I was pointed to discussion regarding sudo RunAsUser/RunAsGroup problems
>> [1] and have a question about inproperly handled RunAsUsers as mentioned
>> in the discussion. I'm working on FreeIPA where I have: user testuser,
>> group testgroup, sudorule testrule with RunAsUser empty and
>> RunAsGroup=testgroup. When I want to see list of commands user testuser
>> can run, I get:
> That looks correct to me.  If only RunAsGroup is set, the user
> should be able to run commands as the group but with their own uid,
> not root.
> This is equivalent to the following sudoers file entry:
> testuser	ALL = (:testgroup) NOPASSWD:ALL
> This was a bug fix in 1.8.18 to make LDAP and SSSD consistent with
> file-based sudoers.  It was an oversight when RunAsGroup was initially
> added.
>   - todd

More information about the sudo-workers mailing list