Bug 497873 - sudo gives bogus group membership if runas_default=xxx is used
sudo gives bogus group membership if runas_default=xxx is used
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: sudo (Show other bugs)
5.3
i686 Linux
low Severity medium
: rc
: ---
Assigned To: Daniel Kopeček
BaseOS QE
:
Depends On:
Blocks: CVE-2010-0427
  Show dependency treegraph
 
Reported: 2009-04-27 12:57 EDT by Ric Anderson
Modified: 2010-03-30 04:16 EDT (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: CVE-2010-0427 (view as bug list)
Environment:
Last Closed: 2010-03-30 04:16:46 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
diff from author to fix bogus groups with runas_default (2.28 KB, patch)
2009-04-27 12:58 EDT, Ric Anderson
no flags Details | Diff

  None (edit)
Description Ric Anderson 2009-04-27 12:57:20 EDT
Description of problem: sudo with runas_default=oracle gets wrong group list


Version-Release number of selected component (if applicable): sudo-1.6.9p17-3.el5_3.1

How reproducible: everytime


Steps to Reproduce:
1. add these lines to /etc/sudoers
   Defaults        always_set_home, runas_default=oracle to sudoers
   %dba ALL=(oracle) ALL
2. Create user ric, group dba
3. as ric, do
   sudo -i
   to become oracle.  
4. After the sudo, do
     [oracle@uaz-hr-d02 ~]$ id

   
  
Actual results:
   Id says the following - note dba is missing, and a bunch of system groups are present:
     uid=502(oracle) gid=500(oinstall) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel)

Expected results:
   Id should say
     uid=502(oracle) gid=500(oinstall) groups=500(oinstall),501(dba)

Additional info:
   Author (Todd Miller) has generated a bug fix for 1.6.9;  The problem is already fixed in 1.7.1.  See http://www.gratisoft.us/bugzilla/attachment.cgi?id=255.  If you can't view that, the patch is attached
Comment 1 Ric Anderson 2009-04-27 12:58:29 EDT
Created attachment 341461 [details]
diff from author to fix bogus groups with runas_default
Comment 6 errata-xmlrpc 2010-03-30 04:16:46 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2010-0212.html

Note You need to log in before you can comment on or make changes to this bug.