From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Thu, 26 Aug 2010 15:36:47 +0000 (-0400)
Subject: If runas_pw changes, reset the stashed runas aux group vector.
X-Git-Tag: SUDO_1_7_5~181
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4db60c084005ab65741b338ca4a75280078d8887;p=sudo

If runas_pw changes, reset the stashed runas aux group vector.
Otherwise, if runas_default is set in a per-command Defaults statement,
the command runs with root's aux group vector (i.e. the one that
was used when locating the command).

--HG--
branch : 1.7
---

diff --git a/set_perms.c b/set_perms.c
index 4e7dc9cf8..81e2e7605 100644
--- a/set_perms.c
+++ b/set_perms.c
@@ -488,7 +488,8 @@ runas_setgroups()
 # ifdef HAVE_GETGROUPS
     static GETGROUPS_T *groups;
 # endif
-    struct passwd *pw;
+    static struct passwd *pw;
+    struct passwd *opw = pw;
 
     if (def_preserve_groups)
 	return;
@@ -496,14 +497,18 @@ runas_setgroups()
     /*
      * Use stashed copy of runas groups if available, else initgroups and stash.
      */
-    if (ngroups == -1) {
-	pw = runas_pw ? runas_pw : sudo_user.pw;
+    pw = runas_pw ? runas_pw : sudo_user.pw;
+    if (pw != opw) {
 # ifdef HAVE_SETAUTHDB
 	aix_setauthdb(pw->pw_name);
 # endif
 	if (initgroups(pw->pw_name, pw->pw_gid) < 0)
 	    log_error(USE_ERRNO|MSG_ONLY, "can't set runas group vector");
 # ifdef HAVE_GETGROUPS
+	if (groups) {
+	    efree(groups);
+	    groups = NULL;
+	}
 	if ((ngroups = getgroups(0, NULL)) > 0) {
 	    groups = emalloc2(ngroups, sizeof(GETGROUPS_T));
 	    if (getgroups(ngroups, groups) < 0)