Bug 497873 - sudo gives bogus group membership if runas_default=xxx is used
Summary: sudo gives bogus group membership if runas_default=xxx is used
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo
Version: 5.3
Hardware: i686
OS: Linux
low
medium
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: BaseOS QE
URL:
Whiteboard:
Depends On:
Blocks: CVE-2010-0427
TreeView+ depends on / blocked
 
Reported: 2009-04-27 16:57 UTC by Ric Anderson
Modified: 2010-03-30 08:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: CVE-2010-0427 (view as bug list)
Environment:
Last Closed: 2010-03-30 08:16:46 UTC
Target Upstream Version:


Attachments (Terms of Use)
diff from author to fix bogus groups with runas_default (2.28 KB, patch)
2009-04-27 16:58 UTC, Ric Anderson
no flags Details | Diff


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0212 0 normal SHIPPED_LIVE sudo bug fix update 2010-03-29 12:30:14 UTC

Description Ric Anderson 2009-04-27 16:57:20 UTC
Description of problem: sudo with runas_default=oracle gets wrong group list


Version-Release number of selected component (if applicable): sudo-1.6.9p17-3.el5_3.1

How reproducible: everytime


Steps to Reproduce:
1. add these lines to /etc/sudoers
   Defaults        always_set_home, runas_default=oracle to sudoers
   %dba ALL=(oracle) ALL
2. Create user ric, group dba
3. as ric, do
   sudo -i
   to become oracle.  
4. After the sudo, do
     [oracle@uaz-hr-d02 ~]$ id

   
  
Actual results:
   Id says the following - note dba is missing, and a bunch of system groups are present:
     uid=502(oracle) gid=500(oinstall) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Expected results:
   Id should say
     uid=502(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)

Additional info:
   Author (Todd Miller) has generated a bug fix for 1.6.9;  The problem is already fixed in 1.7.1.  See http://www.gratisoft.us/bugzilla/attachment.cgi?id=255.  If you can't view that, the patch is attached

Comment 1 Ric Anderson 2009-04-27 16:58:29 UTC
Created attachment 341461 [details]
diff from author to fix bogus groups with runas_default

Comment 6 errata-xmlrpc 2010-03-30 08:16:46 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0212.html


Note You need to log in before you can comment on or make changes to this bug.