[sudo-workers] Match_group_by_gid issue

Tomas Sykora tosykora at redhat.com
Mon Apr 3 08:43:11 MDT 2017


if a user has defined a group with the same name locally (he is not a member of it)
and also on a server (sssd, here he is a member of the group) and
the match_group_by_gid is set to true, sudo won't allow user to run a command.

It's because getgrnam always returns the local group, sudo sees that the user is not
a member of this local group and finishes with the user not allowing to run the command.

I'm not sure if this is even possible to fix somehow (whether you can get the second group
from the sssd side with getgrnam somehow). 

This is another group matching issue we ran across beside this one:


but we actually have a customer for this new one. A workaround would be not to use match_group_by_gid
(for now we don't know if the customer needs it) or to use a group name with its domain in sudoers, but
that is connected to the linked issue, so customers would have to set match_group_by_gid to have it

What do you thing about it? Is it solvable somehow?


Tomas Sykora
Security Technologies, 
Red Hat Inc.

More information about the sudo-workers mailing list