Bug 235915 - sudo can't always correctly determine group membership
Summary: sudo can't always correctly determine group membership
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: rawhide
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Peter Vrabec
QA Contact: Ben Levenson
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2007-04-10 19:21 UTC by Nalin Dahyabhai
Modified: 2011-03-19 13:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-04-12 08:41:25 UTC
Type: ---
Embargoed:


Attachments (Terms of Use)
use getgrouplist() if all else fails (2.31 KB, patch)
2007-04-10 19:21 UTC, Nalin Dahyabhai
no flags Details | Diff

Description Nalin Dahyabhai 2007-04-10 19:21:42 UTC
Description of problem:
When checking if a user is a member of a group, sudo opens the group's entry
using getgrnam() and scans the member list.  Depending on which nsswitch modules
are in use, this may or may not be enough, so it needs to fall back on
getgrouplist().

Version-Release number of selected component (if applicable):
1.6.8p12

How reproducible:
Always

Steps to Reproduce:
1. Grant a user access by virtue of being in a group.
2. Define that group using hesiod, or in both /etc/group and anywhere else.  The
second option is a *terrible* idea, but it happens.
  
Actual results:
The user will only be granted access if user is listed in the first location
where the group's entry can be found, contradicting the "groups" command.

Expected results:
User gets access.

Comment 1 Nalin Dahyabhai 2007-04-10 19:21:42 UTC
Created attachment 152173 [details]
use getgrouplist() if all else fails

Comment 2 Peter Vrabec 2007-04-12 08:38:58 UTC
thnx. Nalin, 
it's fixed in sudo-1.6.8p12-14.fc7


Comment 3 Nicolas Vigier 2011-03-19 13:19:31 UTC
Hello,

I see that fedora package has a patch for this. Is it planned to submit this patch upstream, or has it already been done ?


Note You need to log in before you can comment on or make changes to this bug.