From owner-freebsd-arch@FreeBSD.ORG Fri Feb 8 10:10:13 2013 Return-Path: Delivered-To: freebsd-arch@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id C12BAB7B for ; Fri, 8 Feb 2013 10:10:13 +0000 (UTC) (envelope-from freebsd@psconsult.nl) Received: from mx1.psconsult.nl (unknown [IPv6:2001:7b8:30f:e0::5059:ee8a]) by mx1.freebsd.org (Postfix) with ESMTP id 7DA71999 for ; Fri, 8 Feb 2013 10:10:13 +0000 (UTC) Received: from mx1.psconsult.nl (mx1.hvnu.psconsult.nl [46.44.189.154]) by mx1.psconsult.nl (8.14.5/8.14.4) with ESMTP id r18AA6D1096982 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO) for ; Fri, 8 Feb 2013 11:10:11 +0100 (CET) (envelope-from freebsd@psconsult.nl) Received: (from paul@localhost) by mx1.psconsult.nl (8.14.5/8.14.4/Submit) id r18AA6ZB096981 for freebsd-arch@freebsd.org; Fri, 8 Feb 2013 11:10:06 +0100 (CET) (envelope-from freebsd@psconsult.nl) X-Authentication-Warning: mx1.psconsult.nl: paul set sender to freebsd@psconsult.nl using -f Date: Fri, 8 Feb 2013 11:10:06 +0100 From: Paul Schenkeveld To: freebsd-arch@freebsd.org Subject: Re: group(5) Group Passwords do not work Message-ID: <20130208101006.GA63171@psconsult.nl> References: <20130207232352.GA51387@night.db.net> <86a9rfkyg9.fsf@ds4.des.no> MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86a9rfkyg9.fsf@ds4.des.no> User-Agent: Mutt/1.5.21 (2010-09-15) X-BeenThere: freebsd-arch@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Discussion related to FreeBSD architecture List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 08 Feb 2013 10:10:13 -0000 On Fri, Feb 08, 2013 at 09:21:42AM +0100, Dag-Erling Smørgrav wrote: > Diane Bruce writes: > > It was also suggested on IRC that it is also possible that some pam > > code does expect group passwords to work or at least passed through. > > No, who gave you that idea? > > The only places where gr_passwd is mentioned in head are: > > contrib/mtree/getid.c > include/grp.h > lib/libc/gen/getgrent.3 > lib/libc/gen/getgrent.c > lib/libutil/gr_util.c > libexec/mknetid/parse_group.c > share/man/man5/group.5 > tools/regression/lib/libc/nss/test-getgr.c > tools/regression/lib/libutil/test-grp.c > usr.bin/getent/getent.c > usr.bin/logins/logins.c > usr.bin/newgrp/newgrp.c Newgrp still has the capability of letting non-root users change their group to any group that the user can supply a correct group passord for. To enable this capability do "chmod u+s /usr/bin/newgrp". I suppose this setuid bit was turned off by default long time ago as switching groups became more or less redundant when supplementary group ID's were introduced. I've used newgrp quite a lot on old System V UNIX machines back in the 1980's when supplementary group id's were not available. So it's incorrect to sat that the password field in /etc/group does not work and cannot work in FreeBSD. After all /etc/group is just a database containing group records and it's up to programs to decide what to do with that data. AFAIK this field is also part of the Posix standard so it should stay there and the functionality in pw(8) and other programs still matters if you happen to run software on your system that uses this piece of data. > usr.sbin/makefs/getid.c > usr.sbin/nscd/agents/group.c > usr.sbin/pw/pw_group.c HTH, Paul Schenkeveld