From 02d581568620bba8e908a80e0938e144459e1310 Mon Sep 17 00:00:00 2001
From: "Todd C. Miller" <Todd.Miller@courtesan.com>
Date: Sat, 13 Aug 2011 14:43:43 -0400
Subject: [PATCH] If the user specifies a runas group via sudo's -g option that
 matches the runas user's group in the passwd database and that group is not
 denied in the Runas_Spec, allow it. Thus, if user root's gid in /etc/passwd
 is 0, then "sudo -u root -g root id" is allow even if no groups are present
 in the Runas_Spec.

--HG--
branch : 1.7
---
 match.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/match.c b/match.c
index ba299e19d..1f6f7b8b1 100644
--- a/match.c
+++ b/match.c
@@ -236,6 +236,10 @@ _runaslist_matches(user_list, group_list)
 	    if (group_matched != UNSPEC)
 		break;
 	}
+	if (group_matched == UNSPEC) {
+	    if (runas_pw != NULL && runas_pw->pw_gid == runas_gr->gr_gid)
+		group_matched = ALLOW;	/* runas group matches passwd db */
+	}
     }
 
     if (user_matched == DENY || group_matched == DENY)
-- 
2.40.0