[sudo-workers] Match_group_by_gid issue

Jakub Hrozek jhrozek at redhat.com
Mon Apr 3 09:24:16 MDT 2017

On Mon, Apr 03, 2017 at 09:10:09AM -0600, Todd C. Miller wrote:
> I don't think this is solvable on the sudo end.  The only thing
> sudo could do would be to iterate over all groups using getgrent()
> to try and handle the duplicate group names.  That would be rather
> slow.

Additionally, sssd doesn't return results from getgrent() by default
(precisely because it would be too slow)

btw I'm not really familiar with sudo code, but does sudo really use the
output of getgr* to decide policy? Wouldn't it be better to go the other
way around and check the list of groups the user is a member of as per

> If the user wants the sssd groups to take precedence over local
> ones, they should set it to be first in nsswitch.conf.  E.g.
> group:          sss compat
> Alternately, something like the following might work:
> group:          compat [SUCCESS=continue] sss

Alternatively, you can also merge the group results with a recent glibc:

More information about the sudo-workers mailing list