Date: Tue, 19 May 1998 16:13:32 -0400 (EDT) From: Max Euston <meuston@jmrodgers.com> To: FreeBSD-gnats-submit@FreeBSD.ORG Subject: bin/6696: [Patch] su(1) does not check primary group id Message-ID: <199805192013.QAA13225@gw.jmrodgers.com>
next in thread | raw e-mail | index | archive | help
>Number: 6696
>Category: bin
>Synopsis: [Patch] su(1) does not check primary group id
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue May 19 13:10:00 PDT 1998
>Last-Modified:
>Originator: Max Euston
>Organization:
>Release: FreeBSD 2.2.5-STABLE i386
>Environment:
-STABLE (& -CURRENT)
>Description:
su(1) does not allow a user who is a member of group 0 (in /etc/passwd)
to 'su root' unless they are also explicitly listed in /etc/group.
>From 'man group':
A user is automatically in a group if that group was speci-
fied in their /etc/passwd entry and does not need to be added to that
group in the /etc/group file.
>How-To-Repeat:
Add a user to group 0, but don't add them to /etc/group.
Try to 'su root'.
>Fix:
diff -u /src/usr.bin/su/su.1 ./su.1
--- /src/usr.bin/su/su.1 Fri Feb 20 17:35:16 1998
+++ ./su.1 Tue May 19 12:37:11 1998
@@ -152,13 +152,16 @@
usually expects a single argument only; you have to quote it when
passing multiple words.
.Pp
-Only users listed in group 0 (normally
+Only users who are a member of group 0 (normally
.Dq wheel )
can
.Nm
to
-.Dq root ,
-unless this group is empty.
+.Dq root .
+\ If group 0 is missing or empty, any user can
+.Nm
+to
+.Dq root .
.Pp
By default (unless the prompt is reset by a startup file) the super-user
prompt is set to
diff -u /src/usr.bin/su/su.c ./su.c
--- /src/usr.bin/su/su.c Fri Feb 20 17:35:16 1998
+++ ./su.c Tue May 19 15:36:13 1998
@@ -113,6 +113,7 @@
char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np;
struct group *gr;
uid_t ruid;
+ gid_t gid;
int asme, ch, asthem, fastlogin, prio, i;
enum { UNSET, YES, NO } iscsh = UNSET;
#ifdef LOGIN_CAP
@@ -198,6 +199,7 @@
if (pwd == NULL)
errx(1, "who are you?");
username = strdup(pwd->pw_name);
+ gid = pwd->pw_gid;
if (username == NULL)
err(1, NULL);
if (asme) {
@@ -249,14 +251,21 @@
}
#endif
{
- /* only allow those in group zero to su to root. */
+ /*
+ * Only allow those with pw_gid==0 or those listed in
+ * group zero to su to root. If group zero entry is
+ * missing or empty, then allow anyone to su to root.
+ * iswheelsu will only be set if the user is EXPLICITLY
+ * listed in group zero.
+ */
if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)) &&
gr->gr_mem && *(gr->gr_mem))
for (g = gr->gr_mem;; ++g) {
if (!*g)
- errx(1,
- "you are not in the correct group to su %s.",
- user);
+ if (gid == 0)
+ break;
+ else
+ errx(1, "you are not in the correct group to su %s.", user);
if (strcmp(username, *g) == 0) {
#ifdef WHEELSU
iswheelsu = 1;
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199805192013.QAA13225>