From owner-freebsd-questions@FreeBSD.ORG Thu Mar 26 15:37:12 2015 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id DFC46ACF for ; Thu, 26 Mar 2015 15:37:12 +0000 (UTC) Received: from mail-ig0-x22c.google.com (mail-ig0-x22c.google.com [IPv6:2607:f8b0:4001:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id A087AB73 for ; Thu, 26 Mar 2015 15:37:12 +0000 (UTC) Received: by ignm3 with SMTP id m3so15659051ign.0 for ; Thu, 26 Mar 2015 08:37:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:cc:content-type; bh=+JvUBIHtJ0mOKwDz4Q/1kPX1OtBsWLlmgKxdHjdf9NQ=; b=Yj9s1FkbBSW2/q6sumYRGg1SbhowE6ii6gEkaueAZR373OXQZfqvY6ThRj/ZopZ/vy T+yg2dL/eDhT944hEWg4nsQcmK4XryGGjVMFtcbaQafWm7lBxhcV8XHcUFJMLcyvyNEj gmH80EB7/1FTEPrf/MbjtwJFI93eRyEWeXxE8P760OOiBaKr03SIxGMvevsg3l5HhvQf zH5QkNy5vYZ0jUadB1uat3L7+M7MT1O9oEOJbuZjNkJY3cwdnEQB9NotXxxTHdrqdbbS WQI6wSK6reIM+/3y+dml0eJ6vyrs0e7L75na4b9aaXAUC2N9Uq9NQVcFueTcBls702Jc oHqw== MIME-Version: 1.0 X-Received: by 10.43.66.131 with SMTP id xq3mr40223165icb.9.1427384232035; Thu, 26 Mar 2015 08:37:12 -0700 (PDT) Sender: vrwmiller@gmail.com Received: by 10.64.150.229 with HTTP; Thu, 26 Mar 2015 08:37:11 -0700 (PDT) In-Reply-To: References: <474FEC65-4E15-4972-A411-E91569B4E2A5@gmail.com> <3183757859924107912@unknownmsgid> Date: Thu, 26 Mar 2015 11:37:11 -0400 X-Google-Sender-Auth: BpdXBk_ykqQZalrN5Q24-T0lB10 Message-ID: Subject: Re: 'pw usermod -G' not removing user from group? From: Rick Miller To: Matthew Pherigo Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.18-1 Cc: FreeBSD Users X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 26 Mar 2015 15:37:13 -0000 On Thu, Mar 26, 2015 at 10:24 AM, Matthew Pherigo wrote: > Thanks for your email, Rick. While I understand the necessity of the > security-patch-only limitation, I would argue that this issue actually IS a > security risk, like so: > > Case 1: admin needs to add a user to a group. This works correctly. > Case 2: admin needs to remove a user from a group. This doesn't work, but > since the admin has just shown that he doesn't need or want this user to be > part of the group, he won't attempt to access those group resources by the > user unless he is explicitly testing it. I only noticed this bug because > Salt had a test case for it. > Case 3: admin needs to remove one group and add another. The new group is > added correctly, but the old group is not removed. It's much more likely > that the addition will be noticed while the failed removal will not. > > I would argue that this is much more dangerous than the opposite (Addition > of groups failing but removal of groups succeeding), as giving an account > too much privilege is a security risk while an account not having enough > privilege is simply an inconvenience. > Just a quick nitpick...on mailing lists where threads can often be very lengthy it is generally accepted that inline posting is preferred to top-posting. This practice helps to maintain the readability of a thread. That said, after closer inspection, the behavior you described is not identical to the behavior described and illustrated in the PR referenced. Chalk it up to me not reading your post closely enough. My apologies. PR187189 specifically addresses duplicate groups with differing ID's where the behavior you're experiencing, while similar, does not include duplicate groups. You may consider opening a PR for this if one is not already open. -- Take care Rick Miller