From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Sat, 13 Aug 2011 18:43:43 +0000 (-0400)
Subject: If the user specifies a runas group via sudo's -g option that matches
X-Git-Tag: SUDO_1_7_7~14
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=02d581568620bba8e908a80e0938e144459e1310;p=sudo

If the user specifies a runas group via sudo's -g option that matches
the runas user's group in the passwd database and that group is not
denied in the Runas_Spec, allow it. Thus, if user root's gid in
/etc/passwd is 0, then "sudo -u root -g root id" is allow even if
no groups are present in the Runas_Spec.

--HG--
branch : 1.7
---

diff --git a/match.c b/match.c
index ba299e19d..1f6f7b8b1 100644
--- a/match.c
+++ b/match.c
@@ -236,6 +236,10 @@ _runaslist_matches(user_list, group_list)
 	    if (group_matched != UNSPEC)
 		break;
 	}
+	if (group_matched == UNSPEC) {
+	    if (runas_pw != NULL && runas_pw->pw_gid == runas_gr->gr_gid)
+		group_matched = ALLOW;	/* runas group matches passwd db */
+	}
     }
 
     if (user_matched == DENY || group_matched == DENY)