#1677 memberUid required for primary groups to match sudo rule
Closed: Fixed None Opened 6 years ago by jhrozek.

https://bugzilla.redhat.com/show_bug.cgi?id=880176 (Red Hat Enterprise Linux 6)

Description of problem:
sudo rules with %group_name or %#group_id sudoUser don't match for primary
groups not having user's memberUid.

Version-Release number of selected component (if applicable):
libsss_autofs-1.9.2-21.el6.x86_64
libsss_idmap-1.9.2-21.el6.x86_64
sssd-1.9.2-21.el6.x86_64
sssd-client-1.9.2-21.el6.x86_64
libsss_sudo-1.9.2-21.el6.x86_64
sudo-1.8.6p3-5.el6.x86_64

How reproducible:
always

Steps to Reproduce:
1. Use attached LDIF file to fill LDAP directory.
2. Use attached sssd.conf as the base for client configuration.
3. Execute Execute "su -c 'sudo -u user2 true' user1 && echo allowed || echo
denied" as root.

Actual results:
denied

Expected results:
allowed

Additional info:
If the primary group (group_user1) has a memberUid with user name (user1)
added, the above works as expected.

This will still not work with sudoUser specified as group ID (i.e. %#20001),
even with memberUid added, because of
https://fedorahosted.org/sssd/ticket/1667.

Fields changed

blockedby: =>
blocking: =>
coverity: =>
design: =>
design_review: => 0
feature_milestone: =>
fedora_test_page: =>
milestone: NEEDS_TRIAGE => SSSD 1.9.4
testsupdated: => 0

Fields changed

owner: somebody => pbrezina
patch: 0 => 1
status: new => assigned

resolution: => fixed
status: assigned => closed

Metadata Update from @jhrozek:
- Issue assigned to pbrezina
- Issue set to the milestone: SSSD 1.9.4

2 years ago

Login to comment on this ticket.

Metadata