On 31-Jul-01 Terry Lambert wrote:
> Sheldon Hearn wrote:
>> > The FreeBSD 4.3 manpage says:
>> >      Only users who are a member of group 0 (normally ``wheel'') can su to
>> >      ``root''.   If group 0 is missing or empty, any user can su to
>> >      ``root''.
>> I guess that could (at a stretch) be interpreted the same as OpenBSD's
>> behaviour.
>> I guess I'll withdraw my complaint, since it just boils down to "the
>> behaviour changed!" now.
> The reason for this is that the pam code for doing the enforcement
> is being trusted utterly.  In the past, we would consider both
> the primary group (the group from the passwd file entry), and the
> auxillary groups (the groups from the groups file entries, if any),
> as synonymous.  With the pam code being used, we no longer consider
> the primary group to be on the same par as the groups file entries.
> IMO, this is bad, and should be fixed: the OpenBSD code is just
> a rationalization of the behaviour forced when you don't consider
> the user's primary group.
> It seems very odd to me that the primary group is ignored, while
> the auxillary group memberships are what determines whether or
> not it's possible for a person to su... call me crazy, but I think
> it's the job of the interface to rationalize this, so that the
> _most significant group membership_ is not ignored.

I agree.  The only people who want this are those who think a wheel group is a
sign of oppresion and don't want to limit the availability of 'su' to just
wheel users.  At least that seems to be the only reason the check is there.
You could still achieve that by not having any users have wheel as their
primary group.


John Baldwin <[EMAIL PROTECTED]> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!"  -  http://www.FreeBSD.org/

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to