Bugzilla – Bug 516
sudo does not set group vector when run from an init service
Last modified: 2011-10-12 05:58:56 MDT
I have observed that when sudo is executed from an init.d service on Gentoo, it does not set the full group vector of the target user. This does not happen when the service is started manually, but only when it is started by the system (upon boot, or with e.g., telinit 1 / telinit 3). After some stracing and reading the source code, the reason appears to be as follows. The init process (pid 1) has an empty groups vector, which ultimately descends to the init services. According to getgroups(2), this is fine: "It is unspecified whether the effective group ID of the calling process is included in the returned list." However, sudo.c treats (or at least appears to, as I am not familiar with the code) such an empty groups vector as an indication that it should not be modified. Specifically, in get_user_groups: if ((ud->ngroups = getgroups(0, NULL)) <= 0) return NULL; and elsewhere: if (details->ngroups >= 0) { if (setgroups(details->ngroups, details->groups) < 0) I don't think it's the same ngroups, but in any case, after the first getgroups call returns 0, sudo doesn't do any more getgroups/setgroups calls, according to strace.
This should be fixed in sudo 1.8.2 and higher. If possible, please try the latest sudo 1.8.3 release candidate, which you will find at http://www.sudo.ws/sudo/devel.html Sudo now uses getgrouplist() to fill in the groups vector if getgroups() returns <= 0.
Hi, I tested with 1.8.2, and the problem is indeed fixed in that version. Thanks!