From owner-freebsd-bugs  Sat Apr 12 17:20:50 1997
Return-Path: <owner-bugs>
Received: (from root@localhost)
          by freefall.freebsd.org (8.8.5/8.8.5) id RAA04352
          for bugs-outgoing; Sat, 12 Apr 1997 17:20:50 -0700 (PDT)
Received: from unique.usn.blaze.net.au (unique.usn.blaze.net.au [203.17.53.17])
          by freefall.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA04339
          for <freebsd-bugs@freefall.freebsd.org>; Sat, 12 Apr 1997 17:20:45 -0700 (PDT)
Received: (from davidn@localhost)
	by unique.usn.blaze.net.au (8.8.5/8.8.5) id KAA01732;
	Sun, 13 Apr 1997 10:20:44 +1000 (EST)
Message-ID: <19970413102043.15146@usn.blaze.net.au>
Date: Sun, 13 Apr 1997 10:20:43 +1000
From: David Nugent <davidn@unique.usn.blaze.net.au>
To: freebsd-bugs@freefall.freebsd.org
Subject: Re: bin/3233: adduser(8) doesn't add users to the wheel group
References: <199704090200.TAA18639@freefall.freebsd.org> <19970409123407.25120@usn.blaze.net.au> <19970413011358.FR00064@uriah.heep.sax.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.69e
In-Reply-To: <19970413011358.FR00064@uriah.heep.sax.de>; from J Wunsch on Sun Apr 13 01:13:58 EST 1997
Sender: owner-bugs@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

On Sun Apr 13 01:13:58 EST 1997, J Wunsch writes:
> 
> Are you sure?  (Well, as the author of pw(8), you should be sure. ;-)
> At least, it offers both, -g and -G, so it should be possible to
> say
> 
> 	pw adduser mmblfrtz -g wheel -G wheel,operator

Yes, that will work. pw doesn't attempt to do anything smart
and remote redundant secondary memberships (as initgroups() does
do, incidently, so you don't seem to get doubling up of group
access permissions at runtime).

> I agree that the `wheel' case is very special here.

Yes, but perhaps this special case is more to do with the real
problem being su. :-)

I already argued this before, that su should look at the user's
primary group as well. Since then, however, I'm more inclined
to argue that it should look at the group access list for the
current process using getgroups() and determine if group 0 is
in the list. Either would remove this problem altogether and
should not represent a security problem.

Regards,

David Nugent - Unique Computing Pty Ltd - Melbourne, Australia
Voice +61-3-9791-9547  Data/BBS +61-3-9792-3507  3:632/348@fidonet
davidn@freebsd.org davidn@blaze.net.au http://www.blaze.net.au/~davidn/