If the user specifies a runas group via sudo's -g option that matches

the runas user's group in the passwd database and that group is not
denied in the Runas_Spec, allow it.  Thus, if user root's gid in
/etc/passwd is 0, then "sudo -u root -g root id" is allow even if
no groups are present in the Runas_Spec.

diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c
index 8e06a4d5c6658efb918a5d0448ededac171aec31..79176a280d30f71d496be1b80677b1960b3d97a2 100644 (file)
--- a/plugins/sudoers/match.c
+++ b/plugins/sudoers/match.c
@@ -227,6 +227,10 @@ _runaslist_matches(struct member_list *user_list, struct member_list *group_list
            if (group_matched != UNSPEC)
                break;
        }
+       if (group_matched == UNSPEC) {
+           if (runas_pw != NULL && runas_pw->pw_gid == runas_gr->gr_gid)
+               group_matched = ALLOW;  /* runas group matches passwd db */
+       }
     }
 
     if (user_matched == DENY || group_matched == DENY)