Make "group_source=dynamic" the default on macOS.

Recent versions of macOS do not reliably return all of a user's non-local groups via getgroups(2), even when _DARWIN_UNLIMITED_GETGROUPS is defined. Bug #946.
2025-08-30 22:05:46 +00:00 · 2021-03-02 14:09:31 -07:00
parent 9bbf120bd8
commit 5ffa0ce053
4 changed files with 29 additions and 7 deletions
--- a/5
+++ b/5
@@ -64,6 +64,11 @@ What's new in Sudo 1.9.6
   timestamp_timeout and passwd_timeout sudoers settings to a
   timespec struct.
 * The default for the "group_source" setting in sudo.conf is now
   "dynamic" on macOS.  Recent versions of macOS do not reliably
   return all of a user's non-local groups via getgroups(2), even
   when _DARWIN_UNLIMITED_GETGROUPS is defined.  Bug #946.
 What's new in Sudo 1.9.5p2
 * Fixed sudo's setprogname(3) emulation on systems that don't
--- a/doc/sudo.conf.man.in
+++ b/doc/sudo.conf.man.in
@@ -17,7 +17,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.TH "SUDO.CONF" "@mansectform@" "February 16, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
+.TH "SUDO.CONF" "@mansectform@" "March 2, 2021" "Sudo @PACKAGE_VERSION@" "File Formats Manual"
 .nh
 .if n .ad l
 .SH "NAME"
@@ -470,12 +470,15 @@ Currently,
 \fBsudo\fR
 supports efficient group queries on AIX,
 BSD,
-HP-UX, Linux and Solaris.
+HP-UX, Linux, macOS and Solaris.
 This is the default behavior on macOS in
 \fBsudo\fR
 1.9.6 and higher.
 .TP 10n
 adaptive
 Only query the group database if the static group list returned
 by the kernel has the maximum number of entries.
-This is the default behavior in
+This is the default behavior on systems other than macOS in
 \fBsudo\fR
 1.8.7 and higher.
 .PP
--- a/doc/sudo.conf.mdoc.in
+++ b/doc/sudo.conf.mdoc.in
@@ -16,7 +16,7 @@
 .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 .\"
 .nr SL @SEMAN@
-.Dd February 16, 2021
+.Dd March 2, 2021
 .Dt SUDO.CONF @mansectform@
 .Os Sudo @PACKAGE_VERSION@
 .Sh NAME
@@ -432,11 +432,14 @@ Currently,
 .Nm sudo
 supports efficient group queries on AIX,
 .Bx ,
-HP-UX, Linux and Solaris.
+HP-UX, Linux, macOS and Solaris.
 This is the default behavior on macOS in
 .Nm sudo
 1.9.6 and higher.
 .It adaptive
 Only query the group database if the static group list returned
 by the kernel has the maximum number of entries.
-This is the default behavior in
+This is the default behavior on systems other than macOS in
 .Nm sudo
 1.8.7 and higher.
 .El
--- a/lib/util/sudo_conf.c
+++ b/lib/util/sudo_conf.c
@@ -117,12 +117,23 @@ static struct sudo_conf_table sudo_conf_var_table[] = {
    { NULL } \
 }
 /*
 * getgroups(2) on macOS is flakey with respect to non-local groups. 
 * Even with _DARWIN_UNLIMITED_GETGROUPS set we may not get all groups./
 * See bug #946 for details.
 */
 #ifdef __APPLE__
 # define GROUP_SOURCE_DEFAULT	GROUP_SOURCE_DYNAMIC
 #else
 # define GROUP_SOURCE_DEFAULT	GROUP_SOURCE_ADAPTIVE
 #endif
 #define SUDO_CONF_SETTINGS_INITIALIZER	{				\
    false,			/* updated */				\
    false,			/* developer_mode */			\
    true,			/* disable_coredump */			\
    true,			/* probe_interfaces */			\
-    GROUP_SOURCE_ADAPTIVE,	/* group_source */			\
+    GROUP_SOURCE_DEFAULT,	/* group_source */			\
    -1				/* max_groups */			\
 }