Red Hat Bugzilla – Bug 235915
sudo can't always correctly determine group membership
Last modified: 2011-03-19 09:19:31 EDT
Description of problem:
When checking if a user is a member of a group, sudo opens the group's entry
using getgrnam() and scans the member list. Depending on which nsswitch modules
are in use, this may or may not be enough, so it needs to fall back on
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Grant a user access by virtue of being in a group.
2. Define that group using hesiod, or in both /etc/group and anywhere else. The
second option is a *terrible* idea, but it happens.
The user will only be granted access if user is listed in the first location
where the group's entry can be found, contradicting the "groups" command.
User gets access.
Created attachment 152173 [details]
use getgrouplist() if all else fails
it's fixed in sudo-1.6.8p12-14.fc7
I see that fedora package has a patch for this. Is it planned to submit this patch upstream, or has it already been done ?