From owner-freebsd-questions@FreeBSD.ORG  Thu Mar 26 17:50:32 2015
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 3726EBF3
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2015 17:50:32 +0000 (UTC)
Received: from mail-lb0-x22b.google.com (mail-lb0-x22b.google.com
 [IPv6:2a00:1450:4010:c04::22b])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id AA8A1EAF
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2015 17:50:31 +0000 (UTC)
Received: by lbbsy1 with SMTP id sy1so46707031lbb.1
 for <freebsd-questions@freebsd.org>; Thu, 26 Mar 2015 10:50:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=references:from:mime-version:in-reply-to:date:message-id:subject:to
 :cc:content-type;
 bh=R4zLykGY0ueGu0oklFk/bXFpE1P1oCHLRUIPwtoQGTE=;
 b=w21XByPrBYLcyHaB/sQt9YQbCQgBF/OaZawEHqgW70qm75Ke901oAj+ZEinLdDxzZ0
 HH3rH0lCIdSvkzUP6kfbriF6OrtnbdEElgPgA6EIPu/AxcCfo7VrBsqa1x9SWKqQgPUV
 /BrElaokfbi1m9gR3eVWZWIANAfOqtvUvqVwu4vUU7KJy8el5M/ZZNVmxj1qjhMrkXUg
 cgrwn+dE3L5Djei+O0MGuAHoMV/ZP2sBwYxaBUmom8jSmcCRLUWkSB6aaAoCpYN8bh8z
 W+VYwPWwNMwNh/5AtuigJejm2M2sG8TQt4+3zl9tnts9NO4JQwdIYHO6Tw0hXNHjXmau
 6g+A==
X-Received: by 10.113.11.12 with SMTP id ee12mr14235282lbd.5.1427392229563;
 Thu, 26 Mar 2015 10:50:29 -0700 (PDT)
References: <474FEC65-4E15-4972-A411-E91569B4E2A5@gmail.com>
 <CAHzLAVHJncOcHvb_fxS4xsN8t9pvavLjpWmvxbhP2kyVHsP9GQ@mail.gmail.com>
 <3183757859924107912@unknownmsgid>
 <CAHzLAVFGHnEhWEJKRZZF-R=y401a5FEc5a9s2-YhGom5sRuR2w@mail.gmail.com>
 <E2CCC68D-AED8-4019-B7ED-46F7BB2094EF@gmail.com>
 <CAHzLAVFu+4u8PwfWW=JX24E5h_OmnQfj7foa7q0=ttBxJX6mAw@mail.gmail.com>
 <op.xv36a3e6g7njmm@michael-think.fritz.box>
From: Matthew Pherigo <hybrid120@gmail.com>
Mime-Version: 1.0 (1.0)
In-Reply-To: <op.xv36a3e6g7njmm@michael-think.fritz.box>
Date: Thu, 26 Mar 2015 12:50:27 -0500
Message-ID: <3450412217143430232@unknownmsgid>
Subject: Re: 'pw usermod -G' not removing user from group?
To: Michael Ross <gmx@ross.cx>
Content-Type: text/plain; charset=UTF-8
Cc: Rick Miller <vmiller@hostileadmin.com>,
 FreeBSD Users <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.18-1
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions/>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 26 Mar 2015 17:50:32 -0000

> On Mar 26, 2015, at 12:04 PM, Michael Ross <gmx@ross.cx> wrote:
>
>> On Thu, 26 Mar 2015 16:37:11 +0100, Rick Miller <vmiller@hostileadmin.com> wrote:
>>
>> On Thu, Mar 26, 2015 at 10:24 AM, Matthew Pherigo <hybrid120@gmail.com>
>> wrote:
>>
>>> Thanks for your email, Rick. While I understand the necessity of the
>>> security-patch-only limitation, I would argue that this issue actually IS a
>>> security risk, like so:
>>>
>>> Case 1: admin needs to add a user to a group. This works correctly.
>>> Case 2: admin needs to remove a user from a group. This doesn't work, but
>>> since the admin has just shown that he doesn't need or want this user to be
>>> part of the group, he won't attempt to access those group resources by the
>>> user unless he is explicitly testing it. I only noticed this bug because
>>> Salt had a test case for it.
>>> Case 3: admin needs to remove one group and add another. The new group is
>>> added correctly, but the old group is not removed. It's much more likely
>>> that the addition will be noticed while the failed removal will not.
>>>
>>> I would argue that this is much more dangerous than the opposite (Addition
>>> of groups failing but removal of groups succeeding), as giving an account
>>> too much privilege is a security risk while an account not having enough
>>> privilege is simply an inconvenience.
>>
>> Just a quick nitpick...on mailing lists where threads can often be very
>> lengthy it is generally accepted that inline posting is preferred to
>> top-posting.  This practice helps to maintain the readability of a thread.
>>
>> That said, after closer inspection, the behavior you described is not
>> identical to the behavior described and illustrated in the PR referenced.
>> Chalk it up to me not reading your post closely enough.  My apologies.
>> PR187189 specifically addresses duplicate groups with differing ID's where
>> the behavior you're experiencing, while similar, does not include duplicate
>> groups.
>>
>> You may consider opening a PR for this if one is not already open.
>
> https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=185666
>
> dated 2014/01/11, patched 2014/10/28 and 2014/11/04

Oh dear, that describes the behavior I'm experiencing exactly. I'll
test this out on a fresh install; if it still happens there, then it
must be another regression? Thanks for showing me this PR, Michael.

--Matt