Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 235915 - sudo can't always correctly determine group membership
Summary: sudo can't always correctly determine group membership
Alias: None
Product: Fedora
Classification: Fedora
Component: sudo
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Peter Vrabec
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2007-04-10 19:21 UTC by Nalin Dahyabhai
Modified: 2011-03-19 13:19 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-04-12 08:41:25 UTC

Attachments (Terms of Use)
use getgrouplist() if all else fails (deleted)
2007-04-10 19:21 UTC, Nalin Dahyabhai
no flags Details | Diff

Description Nalin Dahyabhai 2007-04-10 19:21:42 UTC
Description of problem:
When checking if a user is a member of a group, sudo opens the group's entry
using getgrnam() and scans the member list.  Depending on which nsswitch modules
are in use, this may or may not be enough, so it needs to fall back on

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Grant a user access by virtue of being in a group.
2. Define that group using hesiod, or in both /etc/group and anywhere else.  The
second option is a *terrible* idea, but it happens.
Actual results:
The user will only be granted access if user is listed in the first location
where the group's entry can be found, contradicting the "groups" command.

Expected results:
User gets access.

Comment 1 Nalin Dahyabhai 2007-04-10 19:21:42 UTC
Created attachment 152173 [details]
use getgrouplist() if all else fails

Comment 2 Peter Vrabec 2007-04-12 08:38:58 UTC
thnx. Nalin, 
it's fixed in sudo-1.6.8p12-14.fc7

Comment 3 Nicolas Vigier 2011-03-19 13:19:31 UTC

I see that fedora package has a patch for this. Is it planned to submit this patch upstream, or has it already been done ?

Note You need to log in before you can comment on or make changes to this bug.