First Last Prev Next    This bug is not in your last search results.
Bug 532 - -g option does not work anymore
-g option does not work anymore
Status: RESOLVED FIXED
Product: Sudo
Classification: Unclassified
Component: Sudo
1.8.3
PC FreeBSD
: normal normal
Assigned To: Todd C. Miller
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-01-19 03:29 MST by spam150
Modified: 2012-02-21 06:10 MST (History)
0 users

See Also:

Attachments
sudo -V output (5.57 KB, text/plain)
2012-01-19 03:29 MST, spam150 		Details
Diff to fix group problem on FreeBSD (1.56 KB, patch)
2012-01-19 10:56 MST, Todd C. Miller 		Details | Diff
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description spam150 2012-01-19 03:29:47 MST 
Created attachment 326 [details]
sudo  -V output

On a FreeBSD7 system:
# cat /usr/local/etc/sudoers
root ALL=(: www) NOPASSWD: /usr/bin/id

# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

# sudo -g www /usr/bin/id
uid=0(root) gid=0(wheel) egid=80(www) groups=80(www),0(wheel),5(operator)

This is with sudo 1.7.4 (see attachment for output of -V)

On a FreeBSD8 system with the exact same sudoers:
# id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

# sudo -g www /usr/bin/id
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)

r# sudo -D 9 -g www /usr/bin/id
sudo: settings: debug_level=9
sudo: settings: runas_group=www
sudo: settings: progname=sudo
sudo: settings: network_addrs=88.159.10.56/255.255.255.192
sudo: sudo_mode 1
sudo: policy plugin returns 1
sudo: command info: umask=022
sudo: command info: command=/usr/bin/id
sudo: command info: runas_uid=0
sudo: command info: runas_gid=80
sudo: command info: runas_groups=0,5
sudo: command info: closefrom=3
sudo: command info: set_utmp=true
sudo: command info: login_class=root
uid=0(root) gid=0(wheel) groups=0(wheel),5(operator)
sudo: received signal 20
sudo: calling policy close with wait status
The latter is with sudo 1.8.3 (see attachment for output of -V)

On both systems the sudo PAM file is equal:
Comment 1 spam150 2012-01-19 04:13:19 MST 
It strikes me that FreeBSD has setegid(), but that it is not used (we see runas_gid= in the debug output and not runas_egid=)
Comment 2 Todd C. Miller 2012-01-19 10:56:15 MST 
Created attachment 327 [details]
Diff to fix group problem on FreeBSD

The problem is that FreeBSD's kernel now stores the effective group ID in the group vector.  As a result, when sudo calls setgroups(), the kernel changes the effective group ID too. Changing the order would work around the issue but would result in the user's old group ID being replaced by the group specified by the -g flag.  I've attached a diff that prepends the group to the group list instead.  With the diff applied I get the following on FreeBSD 8.2.

fbsd8 [~] % id
uid=1001(millert) gid=1001(millert) groups=1001(millert),0(wheel)
fbsd8 [~] % sudo -g www id
uid=1001(millert) gid=1001(millert) egid=80(www) groups=80(www),0(wheel),1001(millert)
Comment 3 spam150 2012-01-19 11:12:16 MST 
This indeed fixes the problem (on both FreeBSD7 and 8)

Thanks!
Comment 4 Todd C. Miller 2012-02-21 06:10:32 MST 
Fixed in sudo 1.8.4
First Last Prev Next    This bug is not in your last search results.