From: Todd C. Miller <Todd.Miller@courtesan.com>
Date: Mon, 17 Feb 2014 17:20:14 +0000 (-0700)
Subject: We also need to open the sudoers file as root if there is a GID
X-Git-Tag: SUDO_1_8_10^2~18
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=c6e310b948492f15d0394fd1739d5fd8f20e9b0d;p=sudo

We also need to open the sudoers file as root if there is a GID
mismatch.
---

diff --git a/plugins/sudoers/sudoers.c b/plugins/sudoers/sudoers.c
index 08d901eec..79c1c76c2 100644
--- a/plugins/sudoers/sudoers.c
+++ b/plugins/sudoers/sudoers.c
@@ -693,11 +693,12 @@ open_sudoers(const char *sudoers, bool doedit, bool *keepopen)
     switch (sudo_secure_file(sudoers, sudoers_uid, sudoers_gid, &sb)) {
 	case SUDO_PATH_SECURE:
 	    /*
-	     * If we are expecting sudoers to be group readable but
-	     * it is not, we must open the file as root, not uid 1.
+	     * If we are expecting sudoers to be group readable by
+	     * SUDOERS_GID but it is not, we must open the file as root,
+	     * not uid 1.
 	     */
-	    if (sudoers_uid == ROOT_UID && (sudoers_mode & S_IRGRP)) {
-		if ((sb.st_mode & S_IRGRP) == 0) {
+	    if (sudoers_uid == ROOT_UID && ISSET(sudoers_mode, S_IRGRP)) {
+		if (!ISSET(sb.st_mode, S_IRGRP) || sb.st_gid != SUDOERS_GID) {
 		    restore_perms();
 		    set_perms(PERM_ROOT);
 		}