Bug 532

Summary: -g option does not work anymore
Product: Sudo Reporter: spam150
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: normal    
Priority: normal    
Version: 1.8.3   
Hardware: PC   
OS: FreeBSD   
Attachments: sudo -V output
Diff to fix group problem on FreeBSD

Description spam150 2012-01-19 03:29:47 MST 
Created attachment 326 [details]
sudo  -V output

On a FreeBSD7 system:
# cat /usr/local/etc/sudoers
root ALL=(: www) NOPASSWD: /usr/bin/id

# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

# sudo -g www /usr/bin/id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www),0(wheel),5(operator)

This is with sudo 1.7.4 (see attachment for output of -V)

On a FreeBSD8 system with the exact same sudoers:
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

# sudo -g www /usr/bin/id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

r# sudo -D 9 -g www /usr/bin/id
sudo: settings: debug_level=9
sudo: settings: runas_group=www
sudo: settings: progname=sudo
sudo: settings: network_addrs=88.159.10.56/255.255.255.192
sudo: sudo_mode 1
sudo: policy plugin returns 1
sudo: command info: umask=022
sudo: command info: command=/usr/bin/id
sudo: command info: runas_uid=0
sudo: command info: runas_gid=80
sudo: command info: runas_groups=0,5
sudo: command info: closefrom=3
sudo: command info: set_utmp=true
sudo: command info: login_class=root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
sudo: received signal 20
sudo: calling policy close with wait status
The latter is with sudo 1.8.3 (see attachment for output of -V)

On both systems the sudo PAM file is equal:
Comment 1 spam150 2012-01-19 04:13:19 MST 
It strikes me that FreeBSD has setegid(), but that it is not used (we see runas_gid= in the debug output and not runas_egid=)
Comment 2 Todd C. Miller 2012-01-19 10:56:15 MST 
Created attachment 327 [details]
Diff to fix group problem on FreeBSD

The problem is that FreeBSD's kernel now stores the effective group ID in the group vector.  As a result, when sudo calls setgroups(), the kernel changes the effective group ID too. Changing the order would work around the issue but would result in the user's old group ID being replaced by the group specified by the -g flag.  I've attached a diff that prepends the group to the group list instead.  With the diff applied I get the following on FreeBSD 8.2.

fbsd8 [~] % id
uid=1001(millert) gid=1001(millert) groups=1001(millert),0(wheel)
fbsd8 [~] % sudo -g www id
uid=1001(millert) gid=1001(millert) egid=80(www) groups=80(www),0(wheel),1001(millert)
Comment 3 spam150 2012-01-19 11:12:16 MST 
This indeed fixes the problem (on both FreeBSD7 and 8)

Thanks!
Comment 4 Todd C. Miller 2012-02-21 06:10:32 MST 
Fixed in sudo 1.8.4