Bug 235915

Summary: sudo can't always correctly determine group membership
Product: [Fedora] Fedora Reporter: Nalin Dahyabhai <nalin>
Component: sudoAssignee: Peter Vrabec <pvrabec>
Status: CLOSED RAWHIDE QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: boklm
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-04-12 08:41:25 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
use getgrouplist() if all else fails none

Description Nalin Dahyabhai 2007-04-10 19:21:42 UTC 
Description of problem:
When checking if a user is a member of a group, sudo opens the group's entry
using getgrnam() and scans the member list.  Depending on which nsswitch modules
are in use, this may or may not be enough, so it needs to fall back on
getgrouplist().

Version-Release number of selected component (if applicable):
1.6.8p12

How reproducible:
Always

Steps to Reproduce:
1. Grant a user access by virtue of being in a group.
2. Define that group using hesiod, or in both /etc/group and anywhere else.  The
second option is a *terrible* idea, but it happens.
  
Actual results:
The user will only be granted access if user is listed in the first location
where the group's entry can be found, contradicting the "groups" command.

Expected results:
User gets access.
Comment 1 Nalin Dahyabhai 2007-04-10 19:21:42 UTC 
Created attachment 152173 [details]
use getgrouplist() if all else fails
Comment 2 Peter Vrabec 2007-04-12 08:38:58 UTC 
thnx. Nalin, 
it's fixed in sudo-1.6.8p12-14.fc7
Comment 3 Nicolas Vigier 2011-03-19 13:19:31 UTC 
Hello,

I see that fedora package has a patch for this. Is it planned to submit this patch upstream, or has it already been done ?