[ale] Sudoers, groups, default group
Leam Hall
leamhall at gmail.com
Fri Mar 3 08:19:34 EST 2023
On 3/2/23 20:16, Jim Kinney via Ale wrote:
> If a user has a default group that's not a typical user private group (same name, no members except that user), and sudoers has a group entry of that default group, does sudo get it's group membership of that user from a user lookup or a group lookup?
>
> Got a user with default group foo but the user doesn't show as a member using getent group foo. The user can use the group sudo process. Seems wrong to me. Maybe user not required to be a member of their default group? Seems REALLY wrong to me.
>
Jim,
I'm not sure I understand the questin, the "not" in the first sentence confuses me. Here's what I did on a Fedora 37 box:
1. Edit /etc/sudoers
%leam ALL=/usr/bin/cat /tmp/file_group
leam ALL=/usr/bin/cat /tmp/file_user
2. Create user fred, in group leam.
3. Try to read the files. Note the user name is in brackets:
[leam at shaphan ~]$ sudo cat /tmp/file_group
file 2
[leam at shaphan ~]$ sudo cat /tmp/file_user
file 1
[fred at shaphan ~]$ sudo cat /tmp/file_group
[sudo] password for fred:
file 2
[fred at shaphan ~]$ sudo cat /tmp/file_user
Sorry, user fred is not allowed to execute '/usr/bin/cat /tmp/file_user' as root on shaphan.
"fred" can read the file based on group membership, and leam can read it based on user. So my bet is that both user and group are checked, and any allow gives an allow. Does that help?
Leam
--
Automation Engineer (reuel.net/resume)
Scribe: The Domici War (domiciwar.net)
General Ne'er-do-well (github.com/LeamHall)
More information about the Ale
mailing list