Bugzilla – Bug 94
Nested netgroups do not work
Last modified: 2003-03-20 14:42:06 MST
If I have a netgroup file (NIS map) that has this: grp1 (host1,,) (host2,,) grp2 (host3,,) (host4,,) sshosts grp1 grp2 and in sudoers I have: kevin !+sshosts = (root) /some/cmd This should prevent me from running "/some/cmd" on host1, host2, host3 and host4, but it does not. However, if I change the "sshosts" netgroup to contain the specific hosts and not nested groups, it works as expected. It appears that sudo does not work with nested netgroups. I know this works with things such as the .rhosts, /etc/passwd, etc as we use it all over the place, so I expected sudo to have the same funcionality. Is this a bug or expected behavior?
Sudo just uses the innetgr libc function; it does not parse netgroups itself. If nested netgroups are not working with sudo on HP-UX then this is a defect in HP-UX's innetgr() libc function.
Todd, since I would assume that innetgr() is used by all the other standard tools, it is not broken. Almost all of our netgroups contain subgroups and they all work fine with other netgroup-enabled tools. Additionally, this problem is also exhibited on our RedHat Linux 7.2 systems. I decided to do some further testing and I found what I believe is my problem, which is not a sudo bug. To illustrate, I had something like this in /etc/sudoers: kevin ALL = (root) NOPASSWD: /bin/ls kevin !+sshosts = (root) NOPASSWD: /bin/ls which does not work. But, if I do the following it does work: kevin ALL,!+sshosts = (root) NOPSASWD: /bin/ls I'm not sure why it never occurred to me to try that before... Thanks, Kevin