497873 – sudo gives bogus group membership if runas_default=xxx is used

Bug 497873 - sudo gives bogus group membership if runas_default=xxx is used

Summary: sudo gives bogus group membership if runas_default=xxx is used

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 5
Classification:	Red Hat
Component:	sudo
Sub Component:
Version:	5.3
Hardware:	i686
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Daniel Kopeček
QA Contact:	BaseOS QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	CVE-2010-0427
TreeView+	depends on / blocked

Reported:	2009-04-27 16:57 UTC by Ric Anderson
Modified:	2010-03-30 08:16 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	CVE-2010-0427 (view as bug list)
Environment:
Last Closed:	2010-03-30 08:16:46 UTC
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
diff from author to fix bogus groups with runas_default (2.28 KB, patch) 2009-04-27 16:58 UTC, Ric Anderson	no flags	Details \| Diff
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2010:0212	0	normal	SHIPPED_LIVE	sudo bug fix update	2010-03-29 12:30:14 UTC

Description Ric Anderson 2009-04-27 16:57:20 UTC

Description of problem: sudo with runas_default=oracle gets wrong group list


Version-Release number of selected component (if applicable): sudo-1.6.9p17-3.el5_3.1

How reproducible: everytime


Steps to Reproduce:
1. add these lines to /etc/sudoers
   Defaults        always_set_home, runas_default=oracle to sudoers
   %dba ALL=(oracle) ALL
2. Create user ric, group dba
3. as ric, do
   sudo -i
   to become oracle.  
4. After the sudo, do
     [oracle@uaz-hr-d02 ~]$ id

   
  
Actual results:
   Id says the following - note dba is missing, and a bunch of system groups are present:
     uid=502(oracle) gid=500(oinstall) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Expected results:
   Id should say
     uid=502(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)

Additional info:
   Author (Todd Miller) has generated a bug fix for 1.6.9;  The problem is already fixed in 1.7.1.  See http://www.gratisoft.us/bugzilla/attachment.cgi?id=255.  If you can't view that, the patch is attached

Comment 1 Ric Anderson 2009-04-27 16:58:29 UTC

Created attachment 341461 [details]
diff from author to fix bogus groups with runas_default

Comment 6 errata-xmlrpc 2010-03-30 08:16:46 UTC

An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0212.html

Note You need to log in before you can comment on or make changes to this bug.