[ale] Sudoers, groups, default group
Leam Hall
leamhall at gmail.com
Fri Mar 3 16:57:33 EST 2023
fred's only group was "leam", and fred had sudo access to the file based on group membership. I'm not sure what you're looking at, but the whole point of groups in sudoers seems to be to allow group members to do that sort of thing. Remember, groups predate a lot of the cool boyz tools that people use these days. It was specifically there to assign capabilities outside of the normal user level stuff. Since fred is in group "leam", that's all that matters.
Leam
- the person, not the group
On 3/3/23 09:49, Jim Kinney wrote:
> Ok. Now make Fred's default group leam and make certain the Fred doesn't appear as a member with getent group leam. So remove Fred from group leam in etc/group but keep Fred default group as leam.
>
> In my exact scenario the user and group data is provided through sssd from freeipa/IdM. Sudoers file is a local file and not handled by IdM. In my opinion, Fred should not have access. Calling the group "mine" but not a member is a conflict.
>
> I know that sudo rules managed by IdM with a group defined for access requires group membership - IdM looks at the rule being accessed then at the denied list and then the approved list. For groups approved it expands to user list and then searches for the requesting user.
>
> But it seems like local file sudoers does a requesting user lookup to match groups and approves from that.
>
> Instead of digging through source code for hard proof, I've been doing web research to determine the method and keep pulling up blank.
>
> On Fri, Mar 3, 2023, 8:19 AM Leam Hall via Ale <ale at ale.org <mailto:ale at ale.org>> wrote:
>
>
>
> On 3/2/23 20:16, Jim Kinney via Ale wrote:
> > If a user has a default group that's not a typical user private group (same name, no members except that user), and sudoers has a group entry of that default group, does sudo get it's group membership of that user from a user lookup or a group lookup?
> >
> > Got a user with default group foo but the user doesn't show as a member using getent group foo. The user can use the group sudo process. Seems wrong to me. Maybe user not required to be a member of their default group? Seems REALLY wrong to me.
> >
>
> Jim,
>
> I'm not sure I understand the questin, the "not" in the first sentence confuses me. Here's what I did on a Fedora 37 box:
>
> 1. Edit /etc/sudoers
> %leam ALL=/usr/bin/cat /tmp/file_group
> leam ALL=/usr/bin/cat /tmp/file_user
>
> 2. Create user fred, in group leam.
>
> 3. Try to read the files. Note the user name is in brackets:
>
> [leam at shaphan ~]$ sudo cat /tmp/file_group
> file 2
> [leam at shaphan ~]$ sudo cat /tmp/file_user
> file 1
>
> [fred at shaphan ~]$ sudo cat /tmp/file_group
> [sudo] password for fred:
> file 2
> [fred at shaphan ~]$ sudo cat /tmp/file_user
> Sorry, user fred is not allowed to execute '/usr/bin/cat /tmp/file_user' as root on shaphan.
>
> "fred" can read the file based on group membership, and leam can read it based on user. So my bet is that both user and group are checked, and any allow gives an allow. Does that help?
>
> Leam
>
> --
> Automation Engineer (reuel.net/resume <http://reuel.net/resume>)
> Scribe: The Domici War (domiciwar.net <http://domiciwar.net>)
> General Ne'er-do-well (github.com/LeamHall <http://github.com/LeamHall>)
> _______________________________________________
> Ale mailing list
> Ale at ale.org <mailto:Ale at ale.org>
> https://mail.ale.org/mailman/listinfo/ale <https://mail.ale.org/mailman/listinfo/ale>
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo <http://mail.ale.org/mailman/listinfo>
>
--
Automation Engineer (reuel.net/resume)
Scribe: The Domici War (domiciwar.net)
General Ne'er-do-well (github.com/LeamHall)
More information about the Ale
mailing list