Date: Thu, 23 Aug 2012 23:20:59 +0200 From: Polytropon <freebsd@edvax.de> To: Damien Fleuriot <ml@my.gd> Cc: Steve O'Hara-Smith <steve@sohara.org>, "freebsd-questions@freebsd.org" <freebsd-questions@freebsd.org> Subject: Re: implications of adding root to a group Message-ID: <20120823232059.d3a87786.freebsd@edvax.de> In-Reply-To: <B8CE39B4-6A1C-42CA-93FB-148CA392B4FA@my.gd> References: <CAK0Kb5FfcKzjOoLLwM%2BTX%2BZ17ZBC-gVSBUtrZNF7Ufpxk1c7FA@mail.gmail.com> <20120823162621.ae92b733.steve@sohara.org> <B8CE39B4-6A1C-42CA-93FB-148CA392B4FA@my.gd>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 23 Aug 2012 23:07:04 +0200, Damien Fleuriot wrote: > > On 23 Aug 2012, at 17:26, Steve O'Hara-Smith <steve@sohara.org> wrote: > > > On Thu, 23 Aug 2012 07:51:10 -0700 > > Krims G <krimskrims@gmail.com> wrote: > > > >> Hello, I've been looking at the /etc/group and have noticed that some > >> groups have root included in them, for example "operator". Is it not > >> implied that root has access to all things and groups? What is the purpose > >> of adding root to a group? If I add root to some new arbitrary group, what > >> does it result in differently than if I do not add root to that group? > > > > The root user has the ability to ignore file permissions, but not > > the ability to subvert group membership tests in scripts or programs. > > > > -- > > Steve O'Hara-Smith | > > > While I can compute what you wrote, I fail to see the implications. > > Would you kindly explain in layman's terms ? Let's say a script tests (upon execution) if the caller does belong to a specific group. While root may execute all scripts and "remove" all barriers, root:wheel will still have "wheel" as the group. While "root is superior to non-root" is true, "wheel is superior to non-wheel" does not apply. In this fictional example, let's assume the script is executable for a specific non-root user. Obviously, root can override this and execute it anyway, even if the script is rwx/---/--- for bob:foo. The script initially tests if the caller is member of the group "foo" to continue. As root is member of "wheel", and _not_ of "foo", the test will fail. The script doesn't continue. Adding root to specific groups allows programs testing for group membership to recognize the required group. It's comparable to adding non-root users to "operation groups" like "dialer" or "operator" to allow them execute scripts and programs that are executable for the respective group, even though they are owned by root, like rwx/r-x/---. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120823232059.d3a87786.freebsd>