Date: Sat, 11 May 2002 17:36:25 -0500 From: "Jacques A. Vidrine" <nectar@FreeBSD.org> To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu> Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org Subject: Re: cvs commit: src/kerberos5/usr.bin/k5su Makefile Message-ID: <20020511223625.GC60845@madman.nectar.cc> In-Reply-To: <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu> References: <200205111405.g4BE58T85035@freefall.freebsd.org> <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, May 11, 2002 at 03:45:53PM -0400, Garrett Wollman wrote: > <<On Sat, 11 May 2002 07:05:08 -0700 (PDT), Jacques Vidrine <nectar@FreeBSD.org> said: > > > Do not install this with set-user-ID bit set. This utility does not > > grok the `wheel' group. > > That is by design. Right, I indicated this in a private follow-up to jmallet. > Kerberos `su' to root is only supposed to depend on whether the user > can authenticate as the principal logname/root@MYREALM, and is listed > on root's ACL for the machine on which `su' is run. This is a > stronger requirement than being in group `wheel'. The Heimdal `su' doesn't work that way. It works like `su' on most non-BSD systems. However, this utility will be going away, so I'm not bothering with it much. It just won't go away in time for 4.6-RELEASE. Cheers, -- Jacques A. Vidrine <n@nectar.cc> http://www.nectar.cc/ NTT/Verio SME . FreeBSD UNIX . Heimdal Kerberos jvidrine@verio.net . nectar@FreeBSD.org . nectar@kth.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe cvs-all" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020511223625.GC60845>