Date: Sun, 10 Feb 2013 06:08:02 -0600 From: Brooks Davis <brooks@freebsd.org> To: Diane Bruce <db@db.net> Cc: "Teske, Devin" <Devin.Teske@fisglobal.com>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: group(5) Group Passwords do not work Message-ID: <20130210120802.GD80454@lor.one-eyed-alien.net> In-Reply-To: <20130208134718.GB62849@night.db.net> References: <20130207232352.GA51387@night.db.net> <13CA24D6AB415D428143D44749F57D7201EA6244@ltcfiswmsgmb21> <20130208134718.GB62849@night.db.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--W5WqUoFLvi1M7tJE Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Feb 08, 2013 at 08:47:18AM -0500, Diane Bruce wrote: > On Fri, Feb 08, 2013 at 09:47:04AM +0000, Teske, Devin wrote: > > On Thu, 7 Feb 2013, Diane Bruce wrote: > >=20 > ... > >=20 > > It secretly does work -- but only for those willing to take the plunge = and: > >=20 > > WARNING: Not recommended unless you *must* have this functionality... > >=20 > > sudo chmod u+s /usr/bin/newgrp > >=20 > > NOTE: Assuming /usr/bin/newgrp is already owned by root > >=20 > > See newgrp(8) for additional details. >=20 > Indeed it will work if it is properly setuid root. The question was > whether we should further deprecate it or document it. ;) We should document the requirement to add u+s in older branches and deprecate it with the aim of removing it. It's only usable on single systems unless you are willing to put the hashes in NIS since there isn't the possibility of a group password in LDAP. Worse yet, it's probably only portable in practice with DES hashes which must be exposed to the user. Finally, even without the problem of the exposed hashes, any user (even nobody or www) can become a member of the group just by knowing the shared secret. Users who want this functionality are probably better served with sudo and a well designed sudoers configuration. It won't have exactly the same affordances, but the affordances of newgrp are terrible. -- Brooks --W5WqUoFLvi1M7tJE Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (FreeBSD) iD8DBQFRF42hXY6L6fI4GtQRAqh3AKDh69pbch0NrSp1t/KQEHykwc+VPwCgj1P6 fRG3Oer+feQOCRlXAzsbH6U= =BY8R -----END PGP SIGNATURE----- --W5WqUoFLvi1M7tJE--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130210120802.GD80454>