[sudo-workers] Problem with matching group names with domain in sudoers

Tomas Sykora tosykora at redhat.com
Thu Mar 30 08:42:03 MDT 2017


I ran across this problem in sudoers groups matching:

When there is a rule containing a group with a domain in sudoers, e.g.

%test_group at domain ALL=(ALL) NOPASSWD:ALL

sudo tries to match strcasecmp("test_group", test_group at domain) in user_in_group (pwutil.c),

which of course fails and the user is not permitted to run the command.
I'm not sure what would be the optimal solution here as matching groups
by gid is only done when match_group_by_gid is set. Also the domain part
of the string probably can't be simply cut off as it is an important information 
in case there would be several different servers with a same named group and
we'd like to choose only members of some of these groups, so the domain part 
must stay there to make the difference.


Tomas Sykora
Security Technologies, 
Red Hat Inc.

More information about the sudo-workers mailing list