[sudo-workers] Match_group_by_gid issue

Todd C. Miller Todd.Miller at courtesan.com
Mon Apr 3 09:30:53 MDT 2017

On Mon, 03 Apr 2017 17:24:16 +0200, Jakub Hrozek wrote:

> btw I'm not really familiar with sudo code, but does sudo really use the
> output of getgr* to decide policy? Wouldn't it be better to go the other
> way around and check the list of groups the user is a member of as per
> initgroups/getgrouplist?

Sudo uses getgroups() or getgrouplist() to get a list of the user's
group IDs.

By default, sudo will resolve those group IDs to names, and then
compare groups by name when matching rules in sudoers.

However, if match_group_by_gid is set, sudo will avoid resolving
the user's group IDs to names and instead look up the groups in
sudoers by name and compare the group IDs.

Either way, if you have conflicting group names or IDs (local vs.
remote) you are asking for trouble.

 - todd

More information about the sudo-workers mailing list