Sheldon Hearn wrote:
> > The FreeBSD 4.3 manpage says:
> >      Only users who are a member of group 0 (normally ``wheel'') can su to
> >      ``root''.   If group 0 is missing or empty, any user can su to
> >      ``root''.
> I guess that could (at a stretch) be interpreted the same as OpenBSD's
> behaviour.
> I guess I'll withdraw my complaint, since it just boils down to "the
> behaviour changed!" now.

The reason for this is that the pam code for doing the enforcement
is being trusted utterly.  In the past, we would consider both
the primary group (the group from the passwd file entry), and the
auxillary groups (the groups from the groups file entries, if any),
as synonymous.  With the pam code being used, we no longer consider
the primary group to be on the same par as the groups file entries.

IMO, this is bad, and should be fixed: the OpenBSD code is just
a rationalization of the behaviour forced when you don't consider
the user's primary group.

It seems very odd to me that the primary group is ignored, while
the auxillary group memberships are what determines whether or
not it's possible for a person to su... call me crazy, but I think
it's the job of the interface to rationalize this, so that the
_most significant group membership_ is not ignored.

-- Terry

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to