Bug 497873 - sudo gives bogus group membership if runas_default=xxx is used
Summary: sudo gives bogus group membership if runas_default=xxx is used
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo
Version: 5.3
Hardware: i686
OS: Linux
Target Milestone: rc
: ---
Assignee: Daniel Kopeček
QA Contact: BaseOS QE
Depends On:
Blocks: CVE-2010-0427
TreeView+ depends on / blocked
Reported: 2009-04-27 16:57 UTC by Ric Anderson
Modified: 2010-03-30 08:16 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
: CVE-2010-0427 (view as bug list)
Last Closed: 2010-03-30 08:16:46 UTC
Target Upstream Version:

Attachments (Terms of Use)
diff from author to fix bogus groups with runas_default (2.28 KB, patch)
2009-04-27 16:58 UTC, Ric Anderson
no flags Details | Diff

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2010:0212 0 normal SHIPPED_LIVE sudo bug fix update 2010-03-29 12:30:14 UTC

Description Ric Anderson 2009-04-27 16:57:20 UTC
Description of problem: sudo with runas_default=oracle gets wrong group list

Version-Release number of selected component (if applicable): sudo-1.6.9p17-3.el5_3.1

How reproducible: everytime

Steps to Reproduce:
1. add these lines to /etc/sudoers
   Defaults        always_set_home, runas_default=oracle to sudoers
   %dba ALL=(oracle) ALL
2. Create user ric, group dba
3. as ric, do
   sudo -i
   to become oracle.  
4. After the sudo, do
     [oracle@uaz-hr-d02 ~]$ id

Actual results:
   Id says the following - note dba is missing, and a bunch of system groups are present:
     uid=502(oracle) gid=500(oinstall) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Expected results:
   Id should say
     uid=502(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)

Additional info:
   Author (Todd Miller) has generated a bug fix for 1.6.9;  The problem is already fixed in 1.7.1.  See http://www.gratisoft.us/bugzilla/attachment.cgi?id=255.  If you can't view that, the patch is attached

Comment 1 Ric Anderson 2009-04-27 16:58:29 UTC
Created attachment 341461 [details]
diff from author to fix bogus groups with runas_default

Comment 6 errata-xmlrpc 2010-03-30 08:16:46 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.