From owner-cvs-all  Sat May 11 12:45:58 2002
Delivered-To: cvs-all@freebsd.org
Received: from khavrinen.lcs.mit.edu (khavrinen.lcs.mit.edu [18.24.4.193])
	by hub.freebsd.org (Postfix) with ESMTP
	id F13CB37B404; Sat, 11 May 2002 12:45:54 -0700 (PDT)
Received: from khavrinen.lcs.mit.edu (localhost [IPv6:::1])
	by khavrinen.lcs.mit.edu (8.12.3/8.12.3) with ESMTP id g4BJjrEN011770;
	Sat, 11 May 2002 15:45:54 -0400 (EDT)
	(envelope-from wollman@khavrinen.lcs.mit.edu)
Received: (from wollman@localhost)
	by khavrinen.lcs.mit.edu (8.12.3/8.12.3/Submit) id g4BJjrbG011767;
	Sat, 11 May 2002 15:45:53 -0400 (EDT)
Date: Sat, 11 May 2002 15:45:53 -0400 (EDT)
From: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Message-Id: <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu>
To: Jacques Vidrine <nectar@FreeBSD.org>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: cvs commit: src/kerberos5/usr.bin/k5su Makefile
In-Reply-To: <200205111405.g4BE58T85035@freefall.freebsd.org>
References: <200205111405.g4BE58T85035@freefall.freebsd.org>
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

<<On Sat, 11 May 2002 07:05:08 -0700 (PDT), Jacques Vidrine <nectar@FreeBSD.org> said:

>   Do not install this with set-user-ID bit set.  This utility does not
>   grok the `wheel' group.

That is by design.

Kerberos `su' to root is only supposed to depend on whether the user
can authenticate as the principal logname/root@MYREALM, and is listed
on root's ACL for the machine on which `su' is run.  This is a
stronger requirement than being in group `wheel'.

-GAWollman


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message