Bug 655

Summary: sudo should look up group membership at time of command invocation
Product: Sudo Reporter: Alex <ams-sudo>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED FIXED    
Severity: security    
Priority: low    
Version: 1.8.5   
Hardware: PC   
OS: Linux   

Description Alex 2014-08-12 05:06:00 MDT 
It seems that sudo trusts the group membership in the calling user's current shell. 

This means that if a user had sudo access via membership of a group, but was subsequently removed from that group, the user continues to have sudo access in any shells they already had open. In an environment where users may have long-running screen sessions on servers, the risks that someone may retain unintended sudo access increase. 

This seems like a security oversight - instead, sudo should evaluate a user's group membership when it is invoked.
Comment 1 Todd C. Miller 2014-08-12 10:29:36 MDT 
By default, sudo uses the group vector returned by the kernel for the process, which is typically set at login time.  However, starting with sudo 1.8.7 there is a group_source setting in sudo.conf that can be used to control how sudo gets the user's group list.  The default is to use the group vector returned by the kernel if it is sufficiently small, but a sudo.conf line like:

Set group_source dynamic

will cause sudo to ignore the process's group vector and always query the group database instead.  This is not the default because querying the group database is prohibitively expensive on some systems.

For more information, see: http://www.sudo.ws/sudo/man/1.8.10/sudo.conf.man.html#x4f746865722073657474696e6773

Marking as fixed since you just need to update your sudo and edit sudo.conf as above.