If the user specifies a runas group via sudo's -g option that matches

the runas user's group in the passwd database and that group is not
denied in the Runas_Spec, allow it. Thus, if user root's gid in
/etc/passwd is 0, then "sudo -u root -g root id" is allow even if
no groups are present in the Runas_Spec.

--HG--
branch : 1.7

diff --git a/match.c b/match.c
index ba299e19d94c7bf4d97573530250ad15844310fd..1f6f7b8b1a55753cad4a88e43d00940e889fe730 100644 (file)
--- a/match.c
+++ b/match.c
@@ -236,6 +236,10 @@ _runaslist_matches(user_list, group_list)
            if (group_matched != UNSPEC)
                break;
        }
+       if (group_matched == UNSPEC) {
+           if (runas_pw != NULL && runas_pw->pw_gid == runas_gr->gr_gid)
+               group_matched = ALLOW;  /* runas group matches passwd db */
+       }
     }
 
     if (user_matched == DENY || group_matched == DENY)