From owner-freebsd-questions@FreeBSD.ORG  Thu Mar 26 14:25:02 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 5A16B9C5
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2015 14:25:02 +0000 (UTC)
Received: from mail-ob0-x22d.google.com (mail-ob0-x22d.google.com
 [IPv6:2607:f8b0:4003:c01::22d])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 123ABFB4
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2015 14:25:02 +0000 (UTC)
Received: by obcxo2 with SMTP id xo2so46896509obc.0
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2015 07:25:01 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=references:mime-version:in-reply-to:content-type
 :content-transfer-encoding:message-id:cc:from:subject:date:to;
 bh=/OQ8HRZVO9gf7tEIva8h+nlYEGzmEe0GQ3cMkZ1z6o8=;
 b=iCWtAkN1GvH3TKuHvRRpqiWgmOtUKBtvLMLD4tFIOl0mgibCp3zLc5kI+HJlwyOIOS
 G7gI3KvSyzGFXeMq1uyi7/QJ4JDCD8NZ+HCluGglHO2hwG5liRsRUnoWs0YUJddNf8o/
 zy0PKYIhqWQTFm8qIoDpJkqPmIXWRQJA/meVaOHpnuEvYCp0BSkLNGuhzN6HWahyJkr+
 IcGcKMhhbBp/ja7fd/YZwf0vpThf7ZjbBF93zBncNkHHUHN9uuTkGyr3V9gemMtB3UwD
 JMGg9jXJ4thWJp7eJd1frKdnXpYbIgg3svcQS29BzcUe2mfPuh97QoJPPy9zOk4Q4Cg5
 ewUg==
X-Received: by 10.60.63.238 with SMTP id j14mr12277178oes.3.1427379901384;
 Thu, 26 Mar 2015 07:25:01 -0700 (PDT)
Received: from [192.168.1.64] (pool-173-71-39-166.dllstx.fios.verizon.net.
 [173.71.39.166])
 by mx.google.com with ESMTPSA id xk11sm4440473oeb.6.2015.03.26.07.24.59
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Thu, 26 Mar 2015 07:24:59 -0700 (PDT)
References: <474FEC65-4E15-4972-A411-E91569B4E2A5@gmail.com>
 <CAHzLAVHJncOcHvb_fxS4xsN8t9pvavLjpWmvxbhP2kyVHsP9GQ@mail.gmail.com>
 <3183757859924107912@unknownmsgid>
 <CAHzLAVFGHnEhWEJKRZZF-R=y401a5FEc5a9s2-YhGom5sRuR2w@mail.gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <CAHzLAVFGHnEhWEJKRZZF-R=y401a5FEc5a9s2-YhGom5sRuR2w@mail.gmail.com>
Message-Id: <E2CCC68D-AED8-4019-B7ED-46F7BB2094EF@gmail.com>
X-Mailer: iPad Mail (12D508)
From: Matthew Pherigo <hybrid120@gmail.com>
Subject: Re: 'pw usermod -G' not removing user from group?
Date: Thu, 26 Mar 2015 09:24:58 -0500
To: Rick Miller <vmiller@hostileadmin.com>
Content-Type: text/plain;
	charset=us-ascii
Content-Transfer-Encoding: quoted-printable
X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1
Cc: FreeBSD Users <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 14:25:02 -0000

Thanks for your email, Rick. While I understand the necessity of the securit=
y-patch-only limitation, I would argue that this issue actually IS a securit=
y risk, like so:

Case 1: admin needs to add a user to a group. This works correctly.
Case 2: admin needs to remove a user from a group. This doesn't work, but si=
nce the admin has just shown that he doesn't need or want this user to be pa=
rt of the group, he won't attempt to access those group resources by the use=
r unless he is explicitly testing it. I only noticed this bug because Salt h=
ad a test case for it.
Case 3: admin needs to remove one group and add another. The new group is ad=
ded correctly, but the old group is not removed. It's much more likely that t=
he addition will be noticed while the failed removal will not.

I would argue that this is much more dangerous than the opposite (Addition o=
f groups failing but removal of groups succeeding), as giving an account too=
 much privilege is a security risk while an account not having enough privil=
ege is simply an inconvenience.

Hopefully this can be resolved soon.
--Matt

> On Mar 26, 2015, at 7:28 AM, Rick Miller <vmiller@hostileadmin.com> wrote:=

>=20
>=20
>=20
>> On Wed, Mar 25, 2015 at 5:18 PM, Matthew Pherigo <hybrid120@gmail.com> wr=
ote:
>> Thanks, Rick! It's crazy that they didn't allow it in; seems like a prett=
y big issue. Hopefully they'll release a patch through FreeBSD-update soon. I=
n the meantime, do you or anyone else know how to work around this?
>=20
> I believe it's unlikely to hit releng/10.1, but I could be wrong.  The rea=
son I don't think it will be merged is because RE and/or security officer pr=
obably don't believe it fits the criteria for merging into a releng branch, w=
hich typically only receive security and errata updates.  That said, because=
 it did get merged into stable/10, it will be included in releng/10.2.
>=20
> I merged the patch from stable/10 into our internal development branches s=
o that it would be available in our internal distributions.  It was caught i=
n time so that we did not have to go to great lengths to get it deployed.  I=
t was simply a matter of compiling the distribution.  For systems already in=
stalled it is necessary to apply the patch to the sources and recompile and r=
einstall base.
>=20
> --=20
> Take care
> Rick Miller