Bug 321

Summary: group gives root access
Product: Sudo Reporter: Gabriel Morales <gabriel.morales>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED DUPLICATE    
Severity: normal CC: gabriel.morales, mark.kabbas
Priority: normal    
Version: 1.6.9   
Hardware: PC   
OS: Other   

Description Gabriel Morales 2008-11-27 11:53:16 MST 
When I use a group to give sudo permissions, it gives me root access.

As an example, I am user r805bld of group v805:
> id
uid=144(r805bld) gid=112(v805) groups=121(dvl)

The permissions I have are:
> sudo -l
User r805bld may run the following commands on this host:
    (r805bld) NOPASSWD: ALL
    (root) NOPASSWD: /sbin/visudo
    (%v805) NOPASSWD: /users/neartek/r805bld/V805_gabriel/AMXWSYS/TMP/JS

I can run the JS script (that includes an id command) as root:
> sudo -u root /users/neartek/r805bld/V805_gabriel/AMXWSYS/TMP/JS
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7
(lp),20(users),200(dba)

The version of sudo is:
> sudo -V
Sudo version 1.6.9p17

The machine is an HP9000 with PA-RISC:
> uname -a
HP-UX asterix B.11.11 U 9000/800 504750538 unlimited-user license

Could it be related to the architecture? I tried with an earlier version of sudo on Itanium and AIX and couldn't reproduce that problem.
Comment 1 Todd C. Miller 2008-12-09 11:10:37 MST 
Is root a member of group v805?  If so, that would explain it.
Comment 2 Mark Kabbas 2008-12-09 13:05:27 MST 
Hello Todd, 
Thank you for the reply.

root is not part of the v805 group, as seen from the id command.
Comment 3 Todd C. Miller 2009-02-03 09:20:53 MST 
Fixed in sudo 1.6.9p20 and sudo 1.7.0

*** This bug has been marked as a duplicate of bug 327 ***