Date: Tue, 31 Jul 2001 05:35:00 +0100 (BST) From: Joshua Goodall <joshua@roughtrade.net> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: Kris Kennaway <kris@obsecurity.org>, <current@FreeBSD.org> Subject: Re: su root broken in -CURRENT Message-ID: <Pine.LNX.4.33.0107310513010.29718-100000@elm.phenome.org> In-Reply-To: <72885.996138844@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 26 Jul 2001, Sheldon Hearn wrote:
> On Wed, 25 Jul 2001 19:20:45 MST, Kris Kennaway wrote:
>
> > Isn't this backwards? Code shouldn't be making assumptions about the
> > special meaning of numeric gids. What if you wanted to renumber gid
> > wheel to something else?
>
> So? My primary group is 0. In /etc/group, group wheel's numeric value
> is 0.
The FreeBSD 4.3 manpage says:
Only users who are a member of group 0 (normally ``wheel'') can su to
``root''. If group 0 is missing or empty, any user can su to
``root''.
The OpenBSD-current manpage says (more explicitly):
If group 0 (normally ``wheel'') has users listed then only those
users can su to ``root''. It is not sufficient to change a user's
/etc/passwd entry to add them to the ``wheel'' group; they must
explicitly be listed in /etc/group. If no one is in the ``wheel''
group, it is ignored, and anyone who knows the root password is
permitted to su to ``root''.
The FreeBSD -CURRENT manpage doesn't mention wheel at all, referring the
reader to pam.conf to work out the semantics. I think this is a loss -
the defaults for su in pam.conf should at least be covered in the manpage.
Joshua
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.LNX.4.33.0107310513010.29718-100000>