#1677 memberUid required for primary groups to match sudo rule
Closed: Fixed None Opened 11 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=880176 (Red Hat Enterprise Linux 6)

Description of problem:
sudo rules with %group_name or %#group_id sudoUser don't match for primary
groups not having user's memberUid.

Version-Release number of selected component (if applicable):
libsss_autofs-1.9.2-21.el6.x86_64
libsss_idmap-1.9.2-21.el6.x86_64
sssd-1.9.2-21.el6.x86_64
sssd-client-1.9.2-21.el6.x86_64
libsss_sudo-1.9.2-21.el6.x86_64
sudo-1.8.6p3-5.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use attached LDIF file to fill LDAP directory.
2. Use attached sssd.conf as the base for client configuration.
3. Execute Execute "su -c 'sudo -u user2 true' user1 && echo allowed || echo
denied" as root.

Actual results:
denied

Expected results:
allowed

Additional info:
If the primary group (group_user1) has a memberUid with user name (user1)
added, the above works as expected.

This will still not work with sudoUser specified as group ID (i.e. %#20001),
even with memberUid added, because of
https://fedorahosted.org/sssd/ticket/1667.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.4
testsupdated: => 0

Fields changed

owner: somebody => pbrezina
patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

7 years ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/2719

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata