Bug 497873 - sudo gives bogus group membership if runas_default=xxx is used
sudo gives bogus group membership if runas_default=xxx is used
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo (Show other bugs)
i686 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Kopeček
Depends On:
Blocks: CVE-2010-0427
  Show dependency treegraph
Reported: 2009-04-27 12:57 EDT by Ric Anderson
Modified: 2010-03-30 04:16 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: CVE-2010-0427 (view as bug list)
Last Closed: 2010-03-30 04:16:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
diff from author to fix bogus groups with runas_default (2.28 KB, patch)
2009-04-27 12:58 EDT, Ric Anderson
no flags Details | Diff

  None (edit)
Description Ric Anderson 2009-04-27 12:57:20 EDT
Description of problem: sudo with runas_default=oracle gets wrong group list

Version-Release number of selected component (if applicable): sudo-1.6.9p17-3.el5_3.1

How reproducible: everytime

Steps to Reproduce:
1. add these lines to /etc/sudoers
   Defaults        always_set_home, runas_default=oracle to sudoers
   %dba ALL=(oracle) ALL
2. Create user ric, group dba
3. as ric, do
   sudo -i
   to become oracle.  
4. After the sudo, do
     [oracle@uaz-hr-d02 ~]$ id

Actual results:
   Id says the following - note dba is missing, and a bunch of system groups are present:
     uid=502(oracle) gid=500(oinstall) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Expected results:
   Id should say
     uid=502(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)

Additional info:
   Author (Todd Miller) has generated a bug fix for 1.6.9;  The problem is already fixed in 1.7.1.  See http://www.gratisoft.us/bugzilla/attachment.cgi?id=255.  If you can't view that, the patch is attached
Comment 1 Ric Anderson 2009-04-27 12:58:29 EDT
Created attachment 341461 [details]
diff from author to fix bogus groups with runas_default
Comment 6 errata-xmlrpc 2010-03-30 04:16:46 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.