Merge branch 'main' into reimplement-dsl

.github/workflows/ci.yaml

@@ -25,14 +25,14 @@ jobs:
         run: docker buildx create --name builder --use
 
       - name: cache docker layers
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
         with:
           path: /tmp/.buildx-cache
           key: docker-buildx-rs-${{ github.sha }}
           restore-keys: docker-buildx-rs-
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "compliance-tests"
           workspaces: |
@@ -62,7 +62,7 @@ jobs:
         run: docker buildx create --name builder --use
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "compliance-tests"
           workspaces: |
@@ -93,14 +93,14 @@ jobs:
         run: docker buildx create --name builder --use
 
       - name: cache docker layers
-        uses: actions/cache@6849a6489940f00c2f30c0fb92c6274307ccb58a
+        uses: actions/cache@1bd1e32a3bdc45362d1e726936510720a7c30a57
         with:
           path: /tmp/.buildx-cache
           key: docker-buildx-rs-${{ github.sha }}
           restore-keys: docker-buildx-rs-
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "compliance-tests"
           workspaces: |
@@ -136,7 +136,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "compliance-tests"
           workspaces: |
@@ -178,7 +178,7 @@ jobs:
           sudo apt install libpam0g-dev
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "stable"
 
@@ -213,7 +213,7 @@ jobs:
           sudo apt install libpam0g-dev
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "nightly"
 
@@ -244,7 +244,7 @@ jobs:
           sudo apt install libpam0g-dev
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "msrv"
 
@@ -276,7 +276,7 @@ jobs:
           sudo apt install libpam0g-dev
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: miri
 
@@ -330,7 +330,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "stable"
 
@@ -349,7 +349,7 @@ jobs:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
 
       - name: Rust Cache
-        uses: Swatinem/rust-cache@82a92a6e8fbeee089604da2575dc567ae9ddeaab
+        uses: Swatinem/rust-cache@f0deed1e0edfc6a9be95417288c0e1099b1eeec3
         with:
           shared-key: "stable"
 

src/su/context.rs

@@ -112,7 +112,7 @@ impl SuContext {
 
             // last argument is the primary group
             group = primary_group.clone();
-            user.groups.push(primary_group.gid);
+            user.groups.insert(0, primary_group.gid);
         }
 
         // add additional group if current user is root

src/system/mod.rs

@@ -276,9 +276,16 @@ pub fn set_target_user(
 ) {
     use std::os::unix::process::CommandExt;
 
-    // add target group to list of additional groups if not present
-    if !target_user.groups.contains(&target_group.gid) {
-        target_user.groups.push(target_group.gid);
+    if let Some(index) = target_user
+        .groups
+        .iter()
+        .position(|id| id == &target_group.gid)
+    {
+        // make sure the requested group id is the first in the list (necessary on FreeBSD)
+        target_user.groups.swap(0, index)
+    } else {
+        // add target group to list of additional groups if not present
+        target_user.groups.insert(0, target_group.gid);
     }
 
     // we need to do this in a `pre_exec` call since the `groups` method in `process::Command` is unstable

test-framework/sudo-compliance-tests/src/sudo/flag_group.rs

@@ -77,6 +77,38 @@ fn adds_group_to_groups_output() -> Result<()> {
     Ok(())
 }
 
+#[test]
+fn supplementary_groups_can_be_made_primary() -> Result<()> {
+    let extra_group = "rustaceans";
+    let env = Env(SUDOERS_ALL_ALL_NOPASSWD)
+        .user(User(USERNAME).secondary_group(extra_group))
+        .group(Group(extra_group))
+        .group("secondary-group")
+        .build()?;
+
+    let stdout = Command::new("groups")
+        .as_user(USERNAME)
+        .output(&env)?
+        .stdout()?;
+    let mut groups_without_sudo = stdout.split_ascii_whitespace().collect::<Vec<_>>();
+
+    let stdout = Command::new("sudo")
+        .args(["-g", extra_group, "groups"])
+        .as_user(USERNAME)
+        .output(&env)?
+        .stdout()?;
+
+    let mut groups_with_sudo = stdout.split_ascii_whitespace().collect::<Vec<_>>();
+
+    assert_eq!(groups_with_sudo[0], extra_group);
+
+    groups_without_sudo.sort();
+    groups_with_sudo.sort();
+    assert_eq!(groups_with_sudo, groups_without_sudo);
+
+    Ok(())
+}
+
 #[test]
 fn group_can_be_specified_by_id() -> Result<()> {
     let expected_gid = 1234;