[sudo-workers] Match_group_by_gid issue

Jakub Hrozek jhrozek at redhat.com
Mon Apr 3 10:03:11 MDT 2017


On Mon, Apr 03, 2017 at 09:30:53AM -0600, Todd C. Miller wrote:
> On Mon, 03 Apr 2017 17:24:16 +0200, Jakub Hrozek wrote:
> 
> > btw I'm not really familiar with sudo code, but does sudo really use the
> > output of getgr* to decide policy? Wouldn't it be better to go the other
> > way around and check the list of groups the user is a member of as per
> > initgroups/getgrouplist?
> 
> Sudo uses getgroups() or getgrouplist() to get a list of the user's
> group IDs.
> 
> By default, sudo will resolve those group IDs to names, and then
> compare groups by name when matching rules in sudoers.
> 
> However, if match_group_by_gid is set, sudo will avoid resolving
> the user's group IDs to names and instead look up the groups in
> sudoers by name and compare the group IDs.
> 
> Either way, if you have conflicting group names or IDs (local vs.
> remote) you are asking for trouble.

Oh, right, conflicting names or IDs won't work. Even the glibc merging
only works if both names and IDs match.


More information about the sudo-workers mailing list