Make "group_source=dynamic" the default on macOS.

Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946.
2025-08-22 01:49:11 +00:00 · 2021-03-02 14:09:31 -07:00 · 2021-03-02 14:09:31 -07:00 · 5ffa0ce053
commit 5ffa0ce053
parent 9bbf120bd8
4 changed files with 29 additions and 7 deletions
--- a/5
+++ b/5
@ -64,6 +64,11 @@ What's new in Sudo 1.9.6
   timestamp_timeout and passwd_timeout sudoers settings to a
   timespec struct.

+ * The default for the "group_source" setting in sudo.conf is now
+   "dynamic" on macOS.  Recent versions of macOS do not reliably
+   return all of a user's non-local groups via getgroups(2), even
+   when _DARWIN_UNLIMITED_GETGROUPS is defined.  Bug #946.
+
 What's new in Sudo 1.9.5p2

 * Fixed sudo's setprogname(3) emulation on systems that don't
--- a/doc/sudo.conf.man.in
+++ b/doc/sudo.conf.man.in
@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.TH "SUDO.CONF" "@mansectform@" "February 16, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO.CONF" "@mansectform@" "March 2, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@ -470,12 +470,15 @@ Currently,
 \fBsudo\fR
 supports efficient group queries on AIX,
 BSD,
-HP-UX, Linux and Solaris.
+HP-UX, Linux, macOS and Solaris.
+This is the default behavior on macOS in
+\fBsudo\fR
+1.9.6 and higher.
 .TP 10n
 adaptive
 Only query the group database if the static group list returned
 by the kernel has the maximum number of entries.
-This is the default behavior in
+This is the default behavior on systems other than macOS in
 \fBsudo\fR
 1.8.7 and higher.
 .PP
--- a/doc/sudo.conf.mdoc.in
+++ b/doc/sudo.conf.mdoc.in
@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.Dd February 16, 2021
+.Dd March 2, 2021
 .Dt SUDO.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@ -432,11 +432,14 @@ Currently,
 .Nm sudo
 supports efficient group queries on AIX,
 .Bx ,
-HP-UX, Linux and Solaris.
+HP-UX, Linux, macOS and Solaris.
+This is the default behavior on macOS in
+.Nm sudo
+1.9.6 and higher.
 .It adaptive
 Only query the group database if the static group list returned
 by the kernel has the maximum number of entries.
-This is the default behavior in
+This is the default behavior on systems other than macOS in
 .Nm sudo
 1.8.7 and higher.
 .El
--- a/lib/util/sudo_conf.c
+++ b/lib/util/sudo_conf.c
@ -117,12 +117,23 @@ static struct sudo_conf_table sudo_conf_var_table[] = {
    { NULL } \
 }

+/*
+ * getgroups(2) on macOS is flakey with respect to non-local groups. 
+ * Even with _DARWIN_UNLIMITED_GETGROUPS set we may not get all groups./
+ * See bug #946 for details.
+ */
+#ifdef __APPLE__
+# define GROUP_SOURCE_DEFAULT	GROUP_SOURCE_DYNAMIC
+#else
+# define GROUP_SOURCE_DEFAULT	GROUP_SOURCE_ADAPTIVE
+#endif
+
 #define SUDO_CONF_SETTINGS_INITIALIZER	{				\
    false,			/* updated */				\
    false,			/* developer_mode */			\
    true,			/* disable_coredump */			\
    true,			/* probe_interfaces */			\
-    GROUP_SOURCE_ADAPTIVE,	/* group_source */			\
+    GROUP_SOURCE_DEFAULT,	/* group_source */			\
    -1				/* max_groups */			\
 }