Bugzilla – Bug 524
local/ldap groups collision
Last modified: 2016-03-17 10:31:34 MDT
i have openldap server with group "admins" which is allowed to make sudo at all hosts. if there is an local group "admins" and an unprivileged member of this group, this user is alowed to make sudo. how can i resolve this collision?
If the two groups have different group IDs you grant permissions based on the group ID instead of the group name. Of course, there could also be a collision with the group IDs too. Unfortunately, there is really no way to tell whether a group comes from a local group file or from something network-based like LDAP.
(In reply to comment #1) > If the two groups have different group IDs you grant permissions based > on the group ID instead of the group name. Of course, there could also > be a collision with the group IDs too. > > Unfortunately, there is really no way to tell whether a group comes > from a local group file or from something network-based like LDAP. thanx from here http://www.gratisoft.us/sudo/sudoers.ldap.man.html >sudoUser >A user name, uid (prefixed with '#'), Unix group (prefixed with a '%') >or user netgroup (prefixed with a '+'). How can i grant sudo access based on group id?
I'm sorry, a sudoUser can not currently be a group ID so that will not work for you (this will be supported in sudo 1.8.4).
Linux doesn't provide a good way to deal with group name collisions. Newer versions of sudo can grant access based on the group ID which may be a viable workaround.