From owner-freebsd-current  Mon Jul 30 21:35:20 2001
Delivered-To: freebsd-current@freebsd.org
Received: from elm.phenome.org (elm.phenome.org [194.153.169.3])
	by hub.freebsd.org (Postfix) with ESMTP id 8540837B401
	for <current@FreeBSD.org>; Mon, 30 Jul 2001 21:35:16 -0700 (PDT)
	(envelope-from joshua@roughtrade.net)
Received: from localhost (joshua@localhost [127.0.0.1])
        by localhost (8.12.0.Beta7/8.12.0.Beta7/Debian 8.12.0.Beta7-1) with ESMTP id f6V4Z0CC029695;
	Tue, 31 Jul 2001 05:35:01 +0100
Date: Tue, 31 Jul 2001 05:35:00 +0100 (BST)
From: Joshua Goodall <joshua@roughtrade.net>
X-X-Sender:  <joshua@elm.phenome.org>
To: Sheldon Hearn <sheldonh@starjuice.net>
Cc: Kris Kennaway <kris@obsecurity.org>, <current@FreeBSD.org>
Subject: Re: su root broken in -CURRENT 
In-Reply-To: <72885.996138844@axl.seasidesoftware.co.za>
Message-ID: <Pine.LNX.4.33.0107310513010.29718-100000@elm.phenome.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-current.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-current>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-current>
X-Loop: FreeBSD.ORG


On Thu, 26 Jul 2001, Sheldon Hearn wrote:

> On Wed, 25 Jul 2001 19:20:45 MST, Kris Kennaway wrote:
>
> > Isn't this backwards?  Code shouldn't be making assumptions about the
> > special meaning of numeric gids.  What if you wanted to renumber gid
> > wheel to something else?
>
> So?  My primary group is 0.  In /etc/group, group wheel's numeric value
> is 0.

The FreeBSD 4.3 manpage says:
     Only users who are a member of group 0 (normally ``wheel'') can su to
     ``root''.   If group 0 is missing or empty, any user can su to
     ``root''.

The OpenBSD-current manpage says (more explicitly):
     If group 0 (normally ``wheel'') has users listed then only those
     users can su to ``root''. It is not sufficient to change a user's
     /etc/passwd entry to add them to the ``wheel'' group; they must
     explicitly be listed in /etc/group. If no one is in the ``wheel''
     group, it is ignored, and anyone who knows the root password is
     permitted to su to ``root''.

The FreeBSD -CURRENT manpage doesn't mention wheel at all, referring the
reader to pam.conf to work out the semantics. I think this is a loss -
the defaults for su in pam.conf should at least be covered in the manpage.

Joshua



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message