Date: Fri, 8 Feb 2013 08:47:18 -0500 From: Diane Bruce <db@db.net> To: "Teske, Devin" <Devin.Teske@fisglobal.com> Cc: Diane Bruce <db@db.net>, "freebsd-arch@freebsd.org" <freebsd-arch@freebsd.org> Subject: Re: group(5) Group Passwords do not work Message-ID: <20130208134718.GB62849@night.db.net> In-Reply-To: <13CA24D6AB415D428143D44749F57D7201EA6244@ltcfiswmsgmb21> References: <20130207232352.GA51387@night.db.net> <13CA24D6AB415D428143D44749F57D7201EA6244@ltcfiswmsgmb21>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Feb 08, 2013 at 09:47:04AM +0000, Teske, Devin wrote: > On Thu, 7 Feb 2013, Diane Bruce wrote: > ... > > It secretly does work -- but only for those willing to take the plunge and: > > WARNING: Not recommended unless you *must* have this functionality... > > sudo chmod u+s /usr/bin/newgrp > > NOTE: Assuming /usr/bin/newgrp is already owned by root > > See newgrp(8) for additional details. Indeed it will work if it is properly setuid root. The question was whether we should further deprecate it or document it. ;) > > Mark Saad spent some time > > checking this. If it is stated it is never going to be made to work, by core > > or whatever, some of the code in libutil + pw can be simplified a bit. > > newgrp(8) ships without the setuid root bit set for security reasons. It's there to flip for anybody that needs it. Perhaps documentation should be updated to mention this. > Yes, that was the over all question. If we are shipping with it deliberately non setuid are we deprecating it with the aim of further removing it completely, which OpenBSD have already done BTW or are we going to document it. On an OpenBSD machine you will get: $ newgrp ksh: newgrp: not found > > > It was also suggested on IRC that it is also possible that some pam > > code does expect group passwords to work or at least passed through. > > > > Nope, not used by PAM. > > > > How are we to proceed folks? > > I'd rather not see this functionality go away -- in my up-coming release of bsdconfig(8) I have a module that supports nearly every aspect of pw(8) including managing group(5) passwords. I see in a later reply to this thread by des that the list includes things besides newgrp(8) and pw(8) ... add bsdconfig(8) to that list by way of pw(8) usage. > -- > Devin I'm finishing this incomplete reply to move to IRC for now ;) > > _____________ > The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you. > _______________________________________________ > freebsd-arch@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-arch > To unsubscribe, send any mail to "freebsd-arch-unsubscribe@freebsd.org" -- - db@FreeBSD.org db@db.net http://www.db.net/~db
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20130208134718.GB62849>