[sudo-workers] sudoRunAsGroup option does not work properly

Tomas Sykora tosykora at redhat.com
Thu Sep 15 07:14:32 MDT 2016

I found a problem in sudo which probably came with the
early defaults in the new 1.8.18 version. I have a user1 
and following content in ldap:

dn: cn=test,ou=Sudoers,dc=example,dc=com
cn: test
objectClass: top
objectClass: sudoRole
sudoOption: !authenticate
sudoUser: ALL
sudoHost: ALL
sudoCommand: ALL
sudoRunAsGroup: group_user2

Now when I run su user1 -c 'sudo -g group_user2 groups' I got:
Sorry, user user1 is not allowed to execute '/bin/groups' as user1:group_user2...

It's probably caused by the sudo_ldap_check_runas_user() function, which in older versions
returned -1 here:
if (!runas_pw) debug_return_bool(UNSPEC);
but now it returns 0 instead, so it never comes
to the function sudo_ldap_check_runas_group() and sudo_ldap_check_runas() returns false.
It's the same with sssd.

More information about the sudo-workers mailing list