Date: Sat, 11 May 2002 19:53:31 +0000 From: "J. Mallett" <jmallett@FreeBSD.ORG> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: Jacques Vidrine <nectar@FreeBSD.org>, cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/kerberos5/usr.bin/k5su Makefile Message-ID: <20020511195330.GA18609@FreeBSD.ORG> In-Reply-To: <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu> References: <200205111405.g4BE58T85035@freefall.freebsd.org> <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 11, 2002 at 03:45:53PM -0400, Garrett Wollman wrote: > <<On Sat, 11 May 2002 07:05:08 -0700 (PDT), Jacques Vidrine <nectar@FreeBSD.org> said: > > > Do not install this with set-user-ID bit set. This utility does not > > grok the `wheel' group. > > That is by design. > > Kerberos `su' to root is only supposed to depend on whether the user > can authenticate as the principal logname/root@MYREALM, and is listed > on root's ACL for the machine on which `su' is run. This is a > stronger requirement than being in group `wheel'. And on a non-Kerberos authenticated system, all users should not be able to use k5su(1) to get around having to be in the wheel group. -- jmallett@FreeBSD.org | C, MIPS, POSIX, UNIX, BSD, IRC Geek. http://www.FreeBSD.org | The Power to Serve "I've never tried to give my life meaning by demeaning you." To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020511195330.GA18609>