Bug 1028 – Feature request: expose that --preserve-groups is used via an environment variable

Bug 1028 - Feature request: expose that --preserve-groups is used via an environment variable


Summary:	Feature request: expose that --preserve-groups is used via an environment var...

Status:	NEW

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.9.10
Hardware:	PC MacOS X

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2022-04-13 14:37 MDT by Kentzo
Modified:	2022-04-13 14:38 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Kentzo 2022-04-13 14:37:38 MDT

On macOS getgroups has two modes in operation:

1. It returns up to NGROUPS_MAX groups of the current user process
2. It returns an unlimited number of groups of the user's default group access list

This choice is made at compile time by defining either _DARWIN_C_SOURCE or _DARWIN_UNLIMITED_GETGROUPS.

Since usage of setgroups cannot be detected on macOS, target application compiled with either of the macros will "misbehave" by ignoring the `--preserve-groups` option.

One notable example of this behavior is CPython's os.getgroups function.

I request that sudo should be modified to expose via an environment variable (e.g. SUDO_PRESERVE_GROUPS) whether the --preserve-groups option (or a corresponding sudoers setting) is set.

If implemented it will allow applications, such CPython's os.getgroups, to respect user's desire to preserve groups. E.g. via SUDO_USER and getgrouplist.

Comment 1 Kentzo 2022-04-13 14:38:48 MDT

Related feature request for CPython: https://github.com/python/cpython/issues/91497