From d9e807b269ea6b268da4f16da5f8a8bdd8751223 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Mon, 23 May 2011 14:00:54 -0400 Subject: [PATCH] If the user specifies a runas group via sudo's -g option that matches the runas user's group in the passwd database and that group is not denied in the Runas_Spec, allow it. Thus, if user root's gid in /etc/passwd is 0, then "sudo -u root -g root id" is allow even if no groups are present in the Runas_Spec. --- plugins/sudoers/match.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/plugins/sudoers/match.c b/plugins/sudoers/match.c index 8e06a4d5c..79176a280 100644 --- a/plugins/sudoers/match.c +++ b/plugins/sudoers/match.c @@ -227,6 +227,10 @@ _runaslist_matches(struct member_list *user_list, struct member_list *group_list if (group_matched != UNSPEC) break; } + if (group_matched == UNSPEC) { + if (runas_pw != NULL && runas_pw->pw_gid == runas_gr->gr_gid) + group_matched = ALLOW; /* runas group matches passwd db */ + } } if (user_matched == DENY || group_matched == DENY) -- 2.40.0