Bug 321 – group gives root access

Bug 321 - group gives root access


Summary:	group gives root access

Status:	RESOLVED DUPLICATE of bug 327

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.6.9
Hardware:	PC Other

Importance:	normal normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2008-11-27 11:53 MST by Gabriel Morales
Modified:	2009-02-03 09:20 MST (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Gabriel Morales 2008-11-27 11:53:16 MST

When I use a group to give sudo permissions, it gives me root access.

As an example, I am user r805bld of group v805:
> id
uid=144(r805bld) gid=112(v805) groups=121(dvl)

The permissions I have are:
> sudo -l
User r805bld may run the following commands on this host:
    (r805bld) NOPASSWD: ALL
    (root) NOPASSWD: /sbin/visudo
    (%v805) NOPASSWD: /users/neartek/r805bld/V805_gabriel/AMXWSYS/TMP/JS

I can run the JS script (that includes an id command) as root:
> sudo -u root /users/neartek/r805bld/V805_gabriel/AMXWSYS/TMP/JS
uid=0(root) gid=3(sys) groups=0(root),1(other),2(bin),4(adm),5(daemon),6(mail),7
(lp),20(users),200(dba)

The version of sudo is:
> sudo -V
Sudo version 1.6.9p17

The machine is an HP9000 with PA-RISC:
> uname -a
HP-UX asterix B.11.11 U 9000/800 504750538 unlimited-user license

Could it be related to the architecture? I tried with an earlier version of sudo on Itanium and AIX and couldn't reproduce that problem.

Comment 1 Todd C. Miller 2008-12-09 11:10:37 MST

Is root a member of group v805?  If so, that would explain it.

Comment 2 Mark Kabbas 2008-12-09 13:05:27 MST

Hello Todd, 
Thank you for the reply.

root is not part of the v805 group, as seen from the id command.

Comment 3 Todd C. Miller 2009-02-03 09:20:53 MST

Fixed in sudo 1.6.9p20 and sudo 1.7.0

*** This bug has been marked as a duplicate of bug 327 ***