Date: Tue, 19 May 1998 16:13:32 -0400 (EDT) From: Max Euston <meuston@jmrodgers.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/6696: [Patch] su(1) does not check primary group id Message-ID: <199805192013.QAA13225@gw.jmrodgers.com>
next in thread | raw e-mail | index | archive | help
>Number: 6696 >Category: bin >Synopsis: [Patch] su(1) does not check primary group id >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue May 19 13:10:00 PDT 1998 >Last-Modified: >Originator: Max Euston >Organization: >Release: FreeBSD 2.2.5-STABLE i386 >Environment: -STABLE (& -CURRENT) >Description: su(1) does not allow a user who is a member of group 0 (in /etc/passwd) to 'su root' unless they are also explicitly listed in /etc/group. >From 'man group': A user is automatically in a group if that group was speci- fied in their /etc/passwd entry and does not need to be added to that group in the /etc/group file. >How-To-Repeat: Add a user to group 0, but don't add them to /etc/group. Try to 'su root'. >Fix: diff -u /src/usr.bin/su/su.1 ./su.1 --- /src/usr.bin/su/su.1 Fri Feb 20 17:35:16 1998 +++ ./su.1 Tue May 19 12:37:11 1998 @@ -152,13 +152,16 @@ usually expects a single argument only; you have to quote it when passing multiple words. .Pp -Only users listed in group 0 (normally +Only users who are a member of group 0 (normally .Dq wheel ) can .Nm to -.Dq root , -unless this group is empty. +.Dq root . +\ If group 0 is missing or empty, any user can +.Nm +to +.Dq root . .Pp By default (unless the prompt is reset by a startup file) the super-user prompt is set to diff -u /src/usr.bin/su/su.c ./su.c --- /src/usr.bin/su/su.c Fri Feb 20 17:35:16 1998 +++ ./su.c Tue May 19 15:36:13 1998 @@ -113,6 +113,7 @@ char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np; struct group *gr; uid_t ruid; + gid_t gid; int asme, ch, asthem, fastlogin, prio, i; enum { UNSET, YES, NO } iscsh = UNSET; #ifdef LOGIN_CAP @@ -198,6 +199,7 @@ if (pwd == NULL) errx(1, "who are you?"); username = strdup(pwd->pw_name); + gid = pwd->pw_gid; if (username == NULL) err(1, NULL); if (asme) { @@ -249,14 +251,21 @@ } #endif { - /* only allow those in group zero to su to root. */ + /* + * Only allow those with pw_gid==0 or those listed in + * group zero to su to root. If group zero entry is + * missing or empty, then allow anyone to su to root. + * iswheelsu will only be set if the user is EXPLICITLY + * listed in group zero. + */ if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)) && gr->gr_mem && *(gr->gr_mem)) for (g = gr->gr_mem;; ++g) { if (!*g) - errx(1, - "you are not in the correct group to su %s.", - user); + if (gid == 0) + break; + else + errx(1, "you are not in the correct group to su %s.", user); if (strcmp(username, *g) == 0) { #ifdef WHEELSU iswheelsu = 1; >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805192013.QAA13225>