Date: Tue, 31 Jul 2001 03:38:57 -0700 From: Terry Lambert <tlambert2@mindspring.com> To: Sheldon Hearn <sheldonh@starjuice.net> Cc: Joshua Goodall <joshua@roughtrade.net>, Kris Kennaway <kris@obsecurity.org>, current@FreeBSD.ORG Subject: Re: su root broken in -CURRENT Message-ID: <3B668AC1.BAC483AD@mindspring.com> References: <3685.996569090@axl.seasidesoftware.co.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Sheldon Hearn wrote: > > The FreeBSD 4.3 manpage says: > > Only users who are a member of group 0 (normally ``wheel'') can su to > > ``root''. If group 0 is missing or empty, any user can su to > > ``root''. > > I guess that could (at a stretch) be interpreted the same as OpenBSD's > behaviour. > > I guess I'll withdraw my complaint, since it just boils down to "the > behaviour changed!" now. The reason for this is that the pam code for doing the enforcement is being trusted utterly. In the past, we would consider both the primary group (the group from the passwd file entry), and the auxillary groups (the groups from the groups file entries, if any), as synonymous. With the pam code being used, we no longer consider the primary group to be on the same par as the groups file entries. IMO, this is bad, and should be fixed: the OpenBSD code is just a rationalization of the behaviour forced when you don't consider the user's primary group. It seems very odd to me that the primary group is ignored, while the auxillary group memberships are what determines whether or not it's possible for a person to su... call me crazy, but I think it's the job of the interface to rationalize this, so that the _most significant group membership_ is not ignored. -- Terry To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3B668AC1.BAC483AD>