<div dir="auto">Ok. Now make Fred's default group leam and make certain the Fred doesn't appear as a member with getent group leam. So remove Fred from group leam in etc/group but keep Fred default group as leam. <div dir="auto"><br></div><div dir="auto">In my exact scenario the user and group data is provided through sssd from freeipa/IdM. Sudoers file is a local file and not handled by IdM. In my opinion, Fred should not have access. Calling the group "mine" but not a member is a conflict. </div><div dir="auto"><br></div><div dir="auto">I know that sudo rules managed by IdM with a group defined for access requires group membership - IdM looks at the rule being accessed then at the denied list and then the approved list. For groups approved it expands to user list and then searches for the requesting user. </div><div dir="auto"><br></div><div dir="auto">But it seems like local file sudoers does a requesting user lookup to match groups and approves from that. </div><div dir="auto"><br></div><div dir="auto">Instead of digging through source code for hard proof, I've been doing web research to determine the method and keep pulling up blank.</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, Mar 3, 2023, 8:19 AM Leam Hall via Ale <<a href="mailto:ale@ale.org">ale@ale.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><br>
<br>
On 3/2/23 20:16, Jim Kinney via Ale wrote:<br>
> If a user has a default group that's not a typical user private group (same name, no members except that user), and sudoers has a group entry of that default group, does sudo get it's group membership of that user from a user lookup or a group lookup?<br>
> <br>
> Got a user with default group foo but the user doesn't show as a member using getent group foo. The user can use the group sudo process. Seems wrong to me. Maybe user not required to be a member of their default group? Seems REALLY wrong to me.<br>
> <br>
<br>
Jim,<br>
<br>
I'm not sure I understand the questin, the "not" in the first sentence confuses me. Here's what I did on a Fedora 37 box:<br>
<br>
1. Edit /etc/sudoers<br>
%leam ALL=/usr/bin/cat /tmp/file_group<br>
leam ALL=/usr/bin/cat /tmp/file_user<br>
<br>
2. Create user fred, in group leam.<br>
<br>
3. Try to read the files. Note the user name is in brackets:<br>
<br>
[leam@shaphan ~]$ sudo cat /tmp/file_group<br>
file 2<br>
[leam@shaphan ~]$ sudo cat /tmp/file_user<br>
file 1<br>
<br>
[fred@shaphan ~]$ sudo cat /tmp/file_group<br>
[sudo] password for fred:<br>
file 2<br>
[fred@shaphan ~]$ sudo cat /tmp/file_user<br>
Sorry, user fred is not allowed to execute '/usr/bin/cat /tmp/file_user' as root on shaphan.<br>
<br>
"fred" can read the file based on group membership, and leam can read it based on user. So my bet is that both user and group are checked, and any allow gives an allow. Does that help?<br>
<br>
Leam<br>
<br>
-- <br>
Automation Engineer (<a href="http://reuel.net/resume" rel="noreferrer noreferrer" target="_blank">reuel.net/resume</a>)<br>
Scribe: The Domici War (<a href="http://domiciwar.net" rel="noreferrer noreferrer" target="_blank">domiciwar.net</a>)<br>
General Ne'er-do-well (<a href="http://github.com/LeamHall" rel="noreferrer noreferrer" target="_blank">github.com/LeamHall</a>)<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org" target="_blank" rel="noreferrer">Ale@ale.org</a><br>
<a href="https://mail.ale.org/mailman/listinfo/ale" rel="noreferrer noreferrer" target="_blank">https://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>