Bug 524

Summary: local/ldap groups collision
Product: Sudo Reporter: rozov
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.7.2   
Hardware: PC   
OS: Linux   

Description rozov 2011-11-24 09:34:56 MST 
i have openldap server with group "admins" which is allowed to make sudo at all hosts. if there is an local group "admins" and an unprivileged member of this group, this user is alowed to make sudo.
how can i resolve this collision?
Comment 1 Todd C. Miller 2011-11-24 13:00:41 MST 
If the two groups have different group IDs you grant permissions based on the group ID instead of the group name.  Of course, there could also be a collision with the group IDs too.

Unfortunately, there is really no way to tell whether a group comes from a local group file or from something network-based like LDAP.
Comment 2 rozov 2011-11-24 13:12:01 MST 
(In reply to comment #1)
> If the two groups have different group IDs you grant permissions based
> on the group ID instead of the group name.  Of course, there could also
> be a collision with the group IDs too.
> 
> Unfortunately, there is really no way to tell whether a group comes
> from a local group file or from something network-based like LDAP.

thanx

from here
http://www.gratisoft.us/sudo/sudoers.ldap.man.html

>sudoUser
>A user name, uid (prefixed with '#'), Unix group (prefixed with a '%') >or user netgroup (prefixed with a '+').

How can i grant sudo access based on group id?
Comment 3 Todd C. Miller 2011-11-29 16:40:23 MST 
I'm sorry, a sudoUser can not currently be a group ID so that will not work for you (this will be supported in sudo 1.8.4).
Comment 4 Todd C. Miller 2016-03-17 10:31:34 MDT 
Linux doesn't provide a good way to deal with group name collisions.  Newer versions of sudo can grant access based on the group ID which may be a viable workaround.