From owner-cvs-all Sat May 11 12:53:14 2002 Delivered-To: cvs-all@freebsd.org Received: from finntroll.newgold.net (durham-ar1-4-64-252-019.durham.dsl-verizon.net [4.64.252.19]) by hub.freebsd.org (Postfix) with SMTP id 5951237B40A for ; Sat, 11 May 2002 12:53:08 -0700 (PDT) Received: (qmail 24861 invoked by uid 1001); 11 May 2002 19:53:31 -0000 Date: Sat, 11 May 2002 19:53:31 +0000 From: "J. Mallett" To: Garrett Wollman Cc: Jacques Vidrine , cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/kerberos5/usr.bin/k5su Makefile Message-ID: <20020511195330.GA18609@FreeBSD.ORG> References: <200205111405.g4BE58T85035@freefall.freebsd.org> <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu> User-Agent: Mutt/1.3.27i Organisation: The FreeBSD Project Sender: owner-cvs-all@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sat, May 11, 2002 at 03:45:53PM -0400, Garrett Wollman wrote: > < said: > > > Do not install this with set-user-ID bit set. This utility does not > > grok the `wheel' group. > > That is by design. > > Kerberos `su' to root is only supposed to depend on whether the user > can authenticate as the principal logname/root@MYREALM, and is listed > on root's ACL for the machine on which `su' is run. This is a > stronger requirement than being in group `wheel'. And on a non-Kerberos authenticated system, all users should not be able to use k5su(1) to get around having to be in the wheel group. -- jmallett@FreeBSD.org | C, MIPS, POSIX, UNIX, BSD, IRC Geek. http://www.FreeBSD.org | The Power to Serve "I've never tried to give my life meaning by demeaning you." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message