戻る
-
タイトル
User retains Sudo privileges after being removed from group -
説明
Removing a user from a group that has sudo privileges leaves the user with those privileges until they log out.
e.g
UserA is added to GroupA
GroupA is configured in the sudoers file.
UserA is then removed from GroupA while still logged in.
UserA retains the privileges as if they were still a member of GroupA until they log out. -
原因
The group membership is automatically loaded into memory when the user logs in and is not removed until the user logs back in again.
Sudo simply processes sudoers and tries to match the user's current attributes against the rule set.
If NOPASSWD is defined in the rule, then it will not attempt to refresh the group membership by re-authentication. -
対策
This is expected behaviour and the same results are obtained with local users.
Rules without the NOPASSWD option will re-authenticate and update the group membership. -
追加情報
Non Unix enabled users will use the PAC certificate for group membership. Group information for local uses is retained by the shell