Bug 235915 - sudo can't always correctly determine group membership
sudo can't always correctly determine group membership
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: sudo (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Vrabec
Ben Levenson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-04-10 15:21 EDT by Nalin Dahyabhai
Modified: 2011-03-19 09:19 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-04-12 04:41:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
use getgrouplist() if all else fails (2.31 KB, patch)
2007-04-10 15:21 EDT, Nalin Dahyabhai
no flags Details | Diff

  None (edit)
Description Nalin Dahyabhai 2007-04-10 15:21:42 EDT
Description of problem:
When checking if a user is a member of a group, sudo opens the group's entry
using getgrnam() and scans the member list.  Depending on which nsswitch modules
are in use, this may or may not be enough, so it needs to fall back on
getgrouplist().

Version-Release number of selected component (if applicable):
1.6.8p12

How reproducible:
Always

Steps to Reproduce:
1. Grant a user access by virtue of being in a group.
2. Define that group using hesiod, or in both /etc/group and anywhere else.  The
second option is a *terrible* idea, but it happens.
  
Actual results:
The user will only be granted access if user is listed in the first location
where the group's entry can be found, contradicting the "groups" command.

Expected results:
User gets access.
Comment 1 Nalin Dahyabhai 2007-04-10 15:21:42 EDT
Created attachment 152173 [details]
use getgrouplist() if all else fails
Comment 2 Peter Vrabec 2007-04-12 04:38:58 EDT
thnx. Nalin, 
it's fixed in sudo-1.6.8p12-14.fc7
Comment 3 Nicolas Vigier 2011-03-19 09:19:31 EDT
Hello,

I see that fedora package has a patch for this. Is it planned to submit this patch upstream, or has it already been done ?

Note You need to log in before you can comment on or make changes to this bug.