Date: Thu, 24 Oct 1996 22:31:48 GMT From: Arne Henrik Juul <arnej@frida.imf.unit.no> To: FreeBSD-gnats-submit@freebsd.org Subject: bin/1882: nobody can su when wheel group is empty Message-ID: <199610242231.WAA00170@frida.imf.unit.no> Resent-Message-ID: <199610242040.NAA20114@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 1882
>Category: bin
>Synopsis: nobody can su when wheel group is empty
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: freebsd-bugs
>State: open
>Class: change-request
>Submitter-Id: current-users
>Arrival-Date: Thu Oct 24 13:40:02 PDT 1996
>Last-Modified:
>Originator: Arne Henrik Juul
>Organization:
Norwegian University of Technology and Science
>Release: FreeBSD 2.2-CURRENT i386
>Environment:
Any FreeBSD system
>Description:
There is no way to specify a policy where all users are
allowed to su to root. My strong opinion is that such a policy
should be selectable, but I also feel that the current FreeBSD policy
is most often preferable.
A common way of specifying all-allowed is to leave the wheel group
completely empty in your group file. This has the added advantage that
the old FreeBSD policy can be retained without any further modifications;
so nobody is allowed to su root until the group file actually is edited,
since FreeBSD by default has root as a member of group wheel.
>How-To-Repeat:
Install FreeBSD at your local CompSci/hacker club machines.
>Fix:
Apply this patch, complete with documentation changes.
Index: su.1
===================================================================
RCS file: /usr/cvs/src/usr.bin/su/su.1,v
retrieving revision 1.3
diff -u -r1.3 su.1
--- su.1 1996/08/29 18:06:13 1.3
+++ su.1 1996/10/24 22:24:54
@@ -141,12 +141,13 @@
usually expects a single argument only; you have to quote it when
passing multiple words.
.Pp
-Only users in group 0 (normally
+Only users listed in group 0 (normally
.Dq wheel )
can
.Nm su
to
-.Dq root .
+.Dq root ,
+unless this group is empty.
.Pp
By default (unless the prompt is reset by a startup file) the super-user
prompt is set to
Index: su.c
===================================================================
RCS file: /usr/cvs/src/usr.bin/su/su.c,v
retrieving revision 1.14
diff -u -r1.14 su.c
--- su.c 1996/10/07 10:00:58 1.14
+++ su.c 1996/10/24 22:23:30
@@ -193,7 +193,8 @@
#endif
{
/* only allow those in group zero to su to root. */
- if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)))
+ if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0))
+ && gr->gr_mem && *(gr->gr_mem))
for (g = gr->gr_mem;; ++g) {
if (!*g)
errx(1,
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199610242231.WAA00170>