Bug 461 – sudo doesn't ask for password when only the GID is changed

Bug 461 - sudo doesn't ask for password when only the GID is changed


Summary:	sudo doesn't ask for password when only the GID is changed

Status:	RESOLVED FIXED

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.4
Hardware:	PC Linux

Importance:	low high
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2011-01-11 02:56 MST by Bdale Garbee
Modified:	2011-01-15 12:19 MST (History)
CC List:	0 users

See Also:

Attachments
Fix for checking password when only the group changes (619 bytes, patch) 2011-01-11 10:32 MST, Todd C. Miller	Details \| Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Bdale Garbee 2011-01-11 02:56:14 MST

A user of my Debian package of sudo 1.7.4p4 reports that with a sudoers line like

    %sudo ALL=(ALL:ALL) ALL

users of group sudo are correctly prompted for a password when changing user, but are not prompted for a password when changing group.  You can replicate this by seeing the difference in behavior regarding whether a password is prompted for between these two command lines:

    sudo -u root id
    sudo -g staff id

Full details are in http://bugs.debian.org/609641.

I'm stopping short of tagging this a security bug since the exposure is limited to people put in group sudo.

Comment 1 Todd C. Miller 2011-01-11 10:32:56 MST

Created attachment 299 [details]
Fix for checking password when only the group changes

There is a special case in the password checking code that allows a user to run sudo as themselves.  This was not updated when the group support was added.  The attached patch fixes this.

Comment 2 Todd C. Miller 2011-01-15 12:19:46 MST

Fixed in sudo 1.7.4p5