Bug 1028

Summary: Feature request: expose that --preserve-groups is used via an environment variable
Product: Sudo Reporter: Kentzo <kulakov.ilya>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: NEW ---    
Severity: normal    
Priority: low    
Version: 1.9.10   
Hardware: PC   
OS: MacOS X   

Description Kentzo 2022-04-13 14:37:38 MDT 
On macOS getgroups has two modes in operation:

1. It returns up to NGROUPS_MAX groups of the current user process
2. It returns an unlimited number of groups of the user's default group access list

This choice is made at compile time by defining either _DARWIN_C_SOURCE or _DARWIN_UNLIMITED_GETGROUPS.

Since usage of setgroups cannot be detected on macOS, target application compiled with either of the macros will "misbehave" by ignoring the `--preserve-groups` option.

One notable example of this behavior is CPython's os.getgroups function.

I request that sudo should be modified to expose via an environment variable (e.g. SUDO_PRESERVE_GROUPS) whether the --preserve-groups option (or a corresponding sudoers setting) is set.

If implemented it will allow applications, such CPython's os.getgroups, to respect user's desire to preserve groups. E.g. via SUDO_USER and getgrouplist.
Comment 1 Kentzo 2022-04-13 14:38:48 MDT 
Related feature request for CPython: https://github.com/python/cpython/issues/91497