From owner-cvs-all  Sat May 11 15:36:31 2002
Delivered-To: cvs-all@freebsd.org
Received: from gw.nectar.cc (gw.nectar.cc [208.42.49.153])
	by hub.freebsd.org (Postfix) with ESMTP
	id 31CF737B405; Sat, 11 May 2002 15:36:26 -0700 (PDT)
Received: from madman.nectar.cc (madman.nectar.cc [10.0.1.111])
	by gw.nectar.cc (Postfix) with ESMTP
	id C2A2C3C; Sat, 11 May 2002 17:36:25 -0500 (CDT)
Received: from madman.nectar.cc (localhost [IPv6:::1])
	by madman.nectar.cc (8.12.3/8.11.6) with ESMTP id g4BMaPr7060896;
	Sat, 11 May 2002 17:36:25 -0500 (CDT)
	(envelope-from nectar@madman.nectar.cc)
Received: (from nectar@localhost)
	by madman.nectar.cc (8.12.3/8.12.3/Submit) id g4BMaPVd060895;
	Sat, 11 May 2002 17:36:25 -0500 (CDT)
Date: Sat, 11 May 2002 17:36:25 -0500
From: "Jacques A. Vidrine" <nectar@FreeBSD.org>
To: Garrett Wollman <wollman@khavrinen.lcs.mit.edu>
Cc: cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
Subject: Re: cvs commit: src/kerberos5/usr.bin/k5su Makefile
Message-ID: <20020511223625.GC60845@madman.nectar.cc>
Mail-Followup-To: "Jacques A. Vidrine" <nectar@FreeBSD.org>,
	Garrett Wollman <wollman@khavrinen.lcs.mit.edu>,
	cvs-committers@FreeBSD.org, cvs-all@FreeBSD.org
References: <200205111405.g4BE58T85035@freefall.freebsd.org> <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <200205111945.g4BJjrbG011767@khavrinen.lcs.mit.edu>
User-Agent: Mutt/1.3.28i
X-Url: http://www.nectar.cc/
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
List-ID: <cvs-all.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20cvs-all>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20cvs-all>
X-Loop: FreeBSD.ORG

On Sat, May 11, 2002 at 03:45:53PM -0400, Garrett Wollman wrote:
> <<On Sat, 11 May 2002 07:05:08 -0700 (PDT), Jacques Vidrine <nectar@FreeBSD.org> said:
> 
> >   Do not install this with set-user-ID bit set.  This utility does not
> >   grok the `wheel' group.
> 
> That is by design.

Right, I indicated this in a private follow-up to jmallet.
 
> Kerberos `su' to root is only supposed to depend on whether the user
> can authenticate as the principal logname/root@MYREALM, and is listed
> on root's ACL for the machine on which `su' is run.  This is a
> stronger requirement than being in group `wheel'.

The Heimdal `su' doesn't work that way.  It works like `su' on most
non-BSD systems.

However, this utility will be going away, so I'm not bothering with it
much.  It just won't go away in time for 4.6-RELEASE.

Cheers,
-- 
Jacques A. Vidrine <n@nectar.cc>                 http://www.nectar.cc/
NTT/Verio SME          .     FreeBSD UNIX     .       Heimdal Kerberos
jvidrine@verio.net     .  nectar@FreeBSD.org  .          nectar@kth.se

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message