|
Bugzilla – Full Text Bug Listing |
| Summary: | sudo doesn't ask for password when only the GID is changed | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Bdale Garbee <bdale> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | high | ||
| Priority: | low | ||
| Version: | 1.7.4 | ||
| Hardware: | PC | ||
| OS: | Linux | ||
| Attachments: | Fix for checking password when only the group changes | ||
Created attachment 299 [details]
Fix for checking password when only the group changes
There is a special case in the password checking code that allows a user to run sudo as themselves. This was not updated when the group support was added. The attached patch fixes this.
Fixed in sudo 1.7.4p5 |
A user of my Debian package of sudo 1.7.4p4 reports that with a sudoers line like %sudo ALL=(ALL:ALL) ALL users of group sudo are correctly prompted for a password when changing user, but are not prompted for a password when changing group. You can replicate this by seeing the difference in behavior regarding whether a password is prompted for between these two command lines: sudo -u root id sudo -g staff id Full details are in http://bugs.debian.org/609641. I'm stopping short of tagging this a security bug since the exposure is limited to people put in group sudo.