search

sudo-project / sudo

Utility to execute a command as another user
https://www.sudo.ws
Other
1.19k stars 220 forks source link

getgroups only returns main group #225

Closed tirolerstefan closed 1 year ago

tirolerstefan commented 1 year ago

I have a situation in an Ubuntu 18.04 docker container where my user gets rejected by sudo: [user] is not in the sudoers file. This incident will be reported.

My user has main group membership 100 (users) and is member of groups: adm dialout cdrom sudo plugdev lpadmin sbuild vboxusers docker (ids: 4,20,24,27,46,100,116,127,134,999). I have debugged the situation with a sudo_debug logfile and rebuilt sudo from jammy (1.9.9).

In method get_user_groups, the getgroups from libc returns 1 group (the main group):

cred->ngroups = getgroups(0, NULL); // -V575

Debug log:

Dec 21 07:37:49.690 sudo[27610] -> get_user_groups @ ./sudo.c:433
Dec 21 07:37:49.690 sudo[27610] get_user_groups: got 1 groups via getgroups()
Dec 21 07:37:49.690 sudo[27610] <- get_user_groups @ ./sudo.c:490 := groups=100

Then I adapted the code and added initgroups to check whether the situation improves:

    cred->ngroups = getgroups(0, NULL); // -V575
    /*dbg*/ sudo_debug_printf(SUDO_DEBUG_INFO, "*** (1) cred->ngroups: %d", cred->ngroups);
    /*dbg*/ initgroups(user, 0);
    /*dbg*/ cred->ngroups = getgroups(0, NULL); // -V575
    /*dbg*/ sudo_debug_printf(SUDO_DEBUG_INFO, "*** (2) cred->ngroups: %d", cred->ngroups);
[...]
        } else {
            sudo_debug_printf(SUDO_DEBUG_INFO,
            "%s: **** got %d groups via getgroups()",
            __func__, cred->ngroups);
[...]

-> and then, it worked.

Debug log:

Dec 21 08:43:19.427 sudo[6425] -> get_user_groups @ ./sudo.c:433
Dec 21 08:43:19.427 sudo[6425] *** (1) cred->ngroups: 1
Dec 21 08:43:19.428 sudo[6425] *** (2) cred->ngroups: 11
Dec 21 08:43:19.428 sudo[6425] get_user_groups: **** got 11 groups via getgroups()
Dec 21 08:43:19.428 sudo[6425] <- get_user_groups @ ./sudo.c:493 := groups=0,4,20,24,27,46,100,116,127,134,999

Ok, initgroups is not ideal with argument 0, because group 0 is added to the list of groups. But do you have a hint, why the supplementary groups are not returned in this case (without using initgroups) or how I could solve that situation?

Additional info for docker:

I start it with following cmd: docker run -it -w "$(pwd)" --user $UID:$GID --volume="/etc/passwd:/etc/passwd:ro" --volume="/etc/shadow:/etc/shadow:ro" --volume="/etc/group:/etc/group:ro" -v /home:/home -e DISPLAY=$DISPLAY [my_image]

Thanks for any help!

millert commented 1 year ago

So basically docker is not initializing the group vector for you. Have you tried adding the following to /etc/sudo.conf?

Set group_source dynamic

That will cause sudo to query the group list from the group database instead of the kernel.

tirolerstefan commented 1 year ago

... and that works. Thanks you!

millert commented 1 year ago

Closing this since it is really a docker issue and sudo provides a work-around.