From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Tue, 11 Apr 2017 22:56:04 +0000 (-0600)
Subject: Try to make it clear that when match_group_by_gid is enabled, groups
X-Git-Tag: SUDO_1_8_20^2~48
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=0b81e0b1951bf4c9cfe0fe5d78098ca85faf3636;p=sudo

Try to make it clear that when match_group_by_gid is enabled, groups
in sudoers are looked up by group name instead of group ID.  This
doesn't usually cause problems, but if there are conflicting group
entries (for example, from a local /etc/group file and an LDAP or
AD group database), whether the group is resolved by name or ID can
be used to work around conflicts.
---

diff --git a/doc/sudoers.cat b/doc/sudoers.cat
index 5b77e438e..daae58f29 100644
--- a/doc/sudoers.cat
+++ b/doc/sudoers.cat
@@ -1194,24 +1194,39 @@ SSUUDDOOEERRSS OOPPTTIIOONNSS
                        _o_n by default.
 
      match_group_by_gid
-                       By default, when matching groups, ssuuddooeerrss will first
-                       resolve all the user's group IDs to group names and
-                       then compare those group names to any group names
-                       listed in the _s_u_d_o_e_r_s file.  This works well on systems
-                       where the number of groups listed in the _s_u_d_o_e_r_s file
-                       is larger than the number of groups a typical user
-                       belongs to.  On systems where group lookups are slow,
-                       where users may belong to a large number of groups, and
-                       where the number of groups listed in the _s_u_d_o_e_r_s file
-                       is relatively small, it may be prohibitively expensive
-                       and running commands via ssuuddoo may take longer than
-                       normal.  On such systems it may be faster to use the
+                       By default, ssuuddooeerrss will look up each group the user is
+                       a member of by group ID to determine the group name
+                       (this is only done once).  The resulting list of the
+                       user's group names is used when matching groups listed
+                       in the _s_u_d_o_e_r_s file.  This works well on systems where
+                       the number of groups listed in the _s_u_d_o_e_r_s file is
+                       larger than the number of groups a typical user belongs
+                       to.  On systems where group lookups are slow, where
+                       users may belong to a large number of groups, and where
+                       the number of groups listed in the _s_u_d_o_e_r_s file is
+                       relatively small, it may be prohibitively expensive and
+                       running commands via ssuuddoo may take longer than normal.
+                       On such systems it may be faster to use the
                        _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag to avoid resolving the user's
-                       group IDs to group names and instead resolve all group
-                       names listed in the _s_u_d_o_e_r_s file, matching by group ID
-                       instead of by group name.  The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag
-                       has no effect when _s_u_d_o_e_r_s data is stored in LDAP.
-                       This flag is _o_f_f by default.
+                       group IDs to group names.  In this case, ssuuddooeerrss must
+                       look up any group name listed in the _s_u_d_o_e_r_s file and
+                       use the group ID instead of the group name when
+                       determining whether the user is a member of the group.
+
+                       Note that if _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d is enabled, group
+                       database lookups performed by ssuuddooeerrss will be keyed by
+                       group name as opposed to group ID.  On systems where
+                       there are multiple sources for the group database, it
+                       is possible to have conflicting group names or group
+                       IDs in the local _/_e_t_c_/_g_r_o_u_p file and the remote group
+                       database.  On such systems, enabling or disabling
+                       _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d can be used to choose whether group
+                       database queries are performed by name (enabled) or ID
+                       (disabled), which may aid in working around group entry
+                       conflicts.
+
+                       The _m_a_t_c_h___g_r_o_u_p___b_y___g_i_d flag has no effect when _s_u_d_o_e_r_s
+                       data is stored in LDAP.  This flag is _o_f_f by default.
 
                        This setting is only supported by version 1.8.18 or
                        higher.
@@ -2796,4 +2811,4 @@ DDIISSCCLLAAIIMMEERR
      file distributed with ssuuddoo or https://www.sudo.ws/license.html for
      complete details.
 
-Sudo 1.8.20                     March 27, 2017                     Sudo 1.8.20
+Sudo 1.8.20                     April 11, 2017                     Sudo 1.8.20
diff --git a/doc/sudoers.man.in b/doc/sudoers.man.in
index 0716489a6..2031a719f 100644
--- a/doc/sudoers.man.in
+++ b/doc/sudoers.man.in
@@ -21,7 +21,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.TH "SUDOERS" "5" "March 27, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDOERS" "5" "April 11, 2017" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -2526,10 +2526,12 @@ This flag is
 by default.
 .TP 18n
 match_group_by_gid
-By default, when matching groups,
+By default,
 \fBsudoers\fR
-will first resolve all the user's group IDs to group names and then
-compare those group names to any group names listed in the
+will look up each group the user is a member of by group ID to
+determine the group name (this is only done once).
+The resulting list of the user's group names is used when matching
+groups listed in the
 \fIsudoers\fR
 file.
 This works well on systems where the number of groups listed in the
@@ -2545,10 +2547,29 @@ running commands via
 may take longer than normal.
 On such systems it may be faster to use the
 \fImatch_group_by_gid\fR
-flag to avoid resolving the user's group IDs to group names and
-instead resolve all group names listed in the
+flag to avoid resolving the user's group IDs to group names.
+In this case,
+\fBsudoers\fR
+must look up any group name listed in the
 \fIsudoers\fR
-file, matching by group ID instead of by group name.
+file and use the group ID instead of the group name when determining
+whether the user is a member of the group.
+.sp
+Note that if
+\fImatch_group_by_gid\fR
+is enabled, group database lookups performed by
+\fBsudoers\fR
+will be keyed by group name as opposed to group ID.
+On systems where there are multiple sources for the group database,
+it is possible to have conflicting group names or group IDs in the local
+\fI/etc/group\fR
+file and the remote group database.
+On such systems, enabling or disabling
+\fImatch_group_by_gid\fR
+can be used to choose whether group database queries are performed
+by name (enabled) or ID (disabled), which may aid in working around
+group entry conflicts.
+.sp
 The
 \fImatch_group_by_gid\fR
 flag has no effect when
diff --git a/doc/sudoers.mdoc.in b/doc/sudoers.mdoc.in
index c7748c311..433871557 100644
--- a/doc/sudoers.mdoc.in
+++ b/doc/sudoers.mdoc.in
@@ -19,7 +19,7 @@
 .\" Agency (DARPA) and Air Force Research Laboratory, Air Force
 .\" Materiel Command, USAF, under agreement number F39502-99-1-0512.
 .\"
-.Dd March 27, 2017
+.Dd April 11, 2017
 .Dt SUDOERS @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -2368,10 +2368,12 @@ This flag is
 .Em @mail_no_user@
 by default.
 .It match_group_by_gid
-By default, when matching groups,
+By default,
 .Nm
-will first resolve all the user's group IDs to group names and then
-compare those group names to any group names listed in the
+will look up each group the user is a member of by group ID to
+determine the group name (this is only done once).
+The resulting list of the user's group names is used when matching
+groups listed in the
 .Em sudoers
 file.
 This works well on systems where the number of groups listed in the
@@ -2387,10 +2389,29 @@ running commands via
 may take longer than normal.
 On such systems it may be faster to use the
 .Em match_group_by_gid
-flag to avoid resolving the user's group IDs to group names and
-instead resolve all group names listed in the
+flag to avoid resolving the user's group IDs to group names.
+In this case,
+.Nm
+must look up any group name listed in the
 .Em sudoers
-file, matching by group ID instead of by group name.
+file and use the group ID instead of the group name when determining
+whether the user is a member of the group.
+.Pp
+Note that if
+.Em match_group_by_gid
+is enabled, group database lookups performed by
+.Nm
+will be keyed by group name as opposed to group ID.
+On systems where there are multiple sources for the group database,
+it is possible to have conflicting group names or group IDs in the local
+.Pa /etc/group
+file and the remote group database.
+On such systems, enabling or disabling
+.Em match_group_by_gid
+can be used to choose whether group database queries are performed
+by name (enabled) or ID (disabled), which may aid in working around
+group entry conflicts.
+.Pp
 The
 .Em match_group_by_gid
 flag has no effect when