getgroups only returns main group

Question

getgroups only returns main group

Closed this issue 2 years ago · 3 comments

I have a situation in an Ubuntu 18.04 docker container where my user gets rejected by sudo:
[user] is not in the sudoers file. This incident will be reported.

My user has main group membership 100 (users) and is member of groups: adm dialout cdrom sudo plugdev lpadmin sbuild vboxusers docker (ids: 4,20,24,27,46,100,116,127,134,999).
I have debugged the situation with a sudo_debug logfile and rebuilt sudo from jammy (1.9.9).

In method get_user_groups, the getgroups from libc returns 1 group (the main group):

cred->ngroups = getgroups(0, NULL); // -V575

Debug log:

Dec 21 07:37:49.690 sudo[27610] -> get_user_groups @ ./sudo.c:433
Dec 21 07:37:49.690 sudo[27610] get_user_groups: got 1 groups via getgroups()
Dec 21 07:37:49.690 sudo[27610] <- get_user_groups @ ./sudo.c:490 := groups=100

Then I adapted the code and added initgroups to check whether the situation improves:

    cred->ngroups = getgroups(0, NULL); // -V575
    /*dbg*/ sudo_debug_printf(SUDO_DEBUG_INFO, "*** (1) cred->ngroups: %d", cred->ngroups);
    /*dbg*/ initgroups(user, 0);
    /*dbg*/ cred->ngroups = getgroups(0, NULL); // -V575
    /*dbg*/ sudo_debug_printf(SUDO_DEBUG_INFO, "*** (2) cred->ngroups: %d", cred->ngroups);
[...]
		} else {
		    sudo_debug_printf(SUDO_DEBUG_INFO,
			"%s: **** got %d groups via getgroups()",
			__func__, cred->ngroups);
[...]

-> and then, it worked.

Debug log:

Dec 21 08:43:19.427 sudo[6425] -> get_user_groups @ ./sudo.c:433
Dec 21 08:43:19.427 sudo[6425] *** (1) cred->ngroups: 1
Dec 21 08:43:19.428 sudo[6425] *** (2) cred->ngroups: 11
Dec 21 08:43:19.428 sudo[6425] get_user_groups: **** got 11 groups via getgroups()
Dec 21 08:43:19.428 sudo[6425] <- get_user_groups @ ./sudo.c:493 := groups=0,4,20,24,27,46,100,116,127,134,999

Ok, initgroups is not ideal with argument 0, because group 0 is added to the list of groups.
But do you have a hint, why the supplementary groups are not returned in this case (without using initgroups) or how I could solve that situation?

Additional info for docker:

I start it with following cmd:
docker run -it -w "$(pwd)" --user $UID:$GID --volume="/etc/passwd:/etc/passwd:ro" --volume="/etc/shadow:/etc/shadow:ro" --volume="/etc/group:/etc/group:ro" -v /home:/home -e DISPLAY=$DISPLAY [my_image]

Thanks for any help!

Answer 1 · 2022-12-21T14:22:21.000Z

So basically docker is not initializing the group vector for you. Have you tried adding the following to /etc/sudo.conf?

Set group_source dynamic

That will cause sudo to query the group list from the group database instead of the kernel.

Answer 2 · 2022-12-21T14:36:46.000Z

... and that works.
Thanks you!

Answer 3 · 2022-12-26T15:56:15.000Z

Closing this since it is really a docker issue and sudo provides a work-around.