Bug 94

Summary: Nested netgroups do not work
Product: Sudo Reporter: Kevin Collins <kcollins>
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: normal    
Version: 1.6.6   
Hardware: HP   
OS: HP-UX   

Description Kevin Collins 2002-12-03 16:05:09 MST 
If I have a netgroup file (NIS map) that has this:

grp1  (host1,,) (host2,,)

grp2  (host3,,) (host4,,)

sshosts grp1 grp2

and in sudoers I have:

kevin    !+sshosts = (root) /some/cmd

This should prevent me from running "/some/cmd" on host1, host2, host3 and 
host4, but it does not. 

However, if I change the "sshosts" netgroup to contain the specific hosts and 
not nested groups, it works as expected. It appears that sudo does not work 
with nested netgroups.

I know this works with things such as the .rhosts, /etc/passwd, etc as we use 
it all over the place, so I expected sudo to have the same funcionality.

Is this a bug or expected behavior?
Comment 1 Todd C. Miller 2003-03-14 08:31:06 MST 
Sudo just uses the innetgr libc function; it does not parse netgroups itself.  If nested netgroups are not working with sudo on HP-UX then this is a defect in HP-UX's innetgr() libc function.
Comment 2 Kevin Collins 2003-03-20 10:42:06 MST 
Todd,

    since I would assume that innetgr() is used by all the other standard 
tools, it is not broken. Almost all of our netgroups contain subgroups and 
they all work fine with other netgroup-enabled tools. 

Additionally, this problem is also exhibited on our RedHat Linux 7.2 systems. 

I decided to do some further testing and I found what I believe is my problem, 
which is not a sudo bug. 

To illustrate, I had something like this in /etc/sudoers:

kevin     ALL = (root) NOPASSWD: /bin/ls
kevin     !+sshosts = (root) NOPASSWD: /bin/ls

which does not work. But, if I do the following it does work:

kevin     ALL,!+sshosts = (root) NOPSASWD: /bin/ls

I'm not sure why it never occurred to me to try that before...

Thanks,

Kevin