Bugzilla – Bug 655
sudo should look up group membership at time of command invocation
Last modified: 2014-08-12 10:29:36 MDT
It seems that sudo trusts the group membership in the calling user's current shell. This means that if a user had sudo access via membership of a group, but was subsequently removed from that group, the user continues to have sudo access in any shells they already had open. In an environment where users may have long-running screen sessions on servers, the risks that someone may retain unintended sudo access increase. This seems like a security oversight - instead, sudo should evaluate a user's group membership when it is invoked.
By default, sudo uses the group vector returned by the kernel for the process, which is typically set at login time. However, starting with sudo 1.8.7 there is a group_source setting in sudo.conf that can be used to control how sudo gets the user's group list. The default is to use the group vector returned by the kernel if it is sufficiently small, but a sudo.conf line like: Set group_source dynamic will cause sudo to ignore the process's group vector and always query the group database instead. This is not the default because querying the group database is prohibitively expensive on some systems. For more information, see: http://www.sudo.ws/sudo/man/1.8.10/sudo.conf.man.html#x4f746865722073657474696e6773 Marking as fixed since you just need to update your sudo and edit sudo.conf as above.