From owner-freebsd-questions@FreeBSD.ORG Thu Aug 23 21:21:02 2012 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 83C17106564A for ; Thu, 23 Aug 2012 21:21:02 +0000 (UTC) (envelope-from freebsd@edvax.de) Received: from mx01.qsc.de (mx01.qsc.de [213.148.129.14]) by mx1.freebsd.org (Postfix) with ESMTP id 40A8C8FC14 for ; Thu, 23 Aug 2012 21:21:01 +0000 (UTC) Received: from r56.edvax.de (port-92-195-49-179.dynamic.qsc.de [92.195.49.179]) by mx01.qsc.de (Postfix) with ESMTP id 6AA603CDFC; Thu, 23 Aug 2012 23:21:00 +0200 (CEST) Received: from r56.edvax.de (localhost [127.0.0.1]) by r56.edvax.de (8.14.5/8.14.5) with SMTP id q7NLKxjg002896; Thu, 23 Aug 2012 23:20:59 +0200 (CEST) (envelope-from freebsd@edvax.de) Date: Thu, 23 Aug 2012 23:20:59 +0200 From: Polytropon To: Damien Fleuriot Message-Id: <20120823232059.d3a87786.freebsd@edvax.de> In-Reply-To: References: <20120823162621.ae92b733.steve@sohara.org> Organization: EDVAX X-Mailer: Sylpheed 3.1.1 (GTK+ 2.24.5; i386-portbld-freebsd8.2) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Steve O'Hara-Smith , "freebsd-questions@freebsd.org" Subject: Re: implications of adding root to a group X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Polytropon List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 23 Aug 2012 21:21:02 -0000 On Thu, 23 Aug 2012 23:07:04 +0200, Damien Fleuriot wrote: > > On 23 Aug 2012, at 17:26, Steve O'Hara-Smith wrote: > > > On Thu, 23 Aug 2012 07:51:10 -0700 > > Krims G wrote: > > > >> Hello, I've been looking at the /etc/group and have noticed that some > >> groups have root included in them, for example "operator". Is it not > >> implied that root has access to all things and groups? What is the purpose > >> of adding root to a group? If I add root to some new arbitrary group, what > >> does it result in differently than if I do not add root to that group? > > > > The root user has the ability to ignore file permissions, but not > > the ability to subvert group membership tests in scripts or programs. > > > > -- > > Steve O'Hara-Smith | > > > While I can compute what you wrote, I fail to see the implications. > > Would you kindly explain in layman's terms ? Let's say a script tests (upon execution) if the caller does belong to a specific group. While root may execute all scripts and "remove" all barriers, root:wheel will still have "wheel" as the group. While "root is superior to non-root" is true, "wheel is superior to non-wheel" does not apply. In this fictional example, let's assume the script is executable for a specific non-root user. Obviously, root can override this and execute it anyway, even if the script is rwx/---/--- for bob:foo. The script initially tests if the caller is member of the group "foo" to continue. As root is member of "wheel", and _not_ of "foo", the test will fail. The script doesn't continue. Adding root to specific groups allows programs testing for group membership to recognize the required group. It's comparable to adding non-root users to "operation groups" like "dialer" or "operator" to allow them execute scripts and programs that are executable for the respective group, even though they are owned by root, like rwx/r-x/---. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...