On 5/1/2010 6:40 PM, Adam Megacz wrote: > > Is there any reason why pts won't let system:administrator create groups > whose prefix does not match any user? > > $pts ex blah > pts: User or group doesn't exist so couldn't look up id for blah > $pts creategroup blah:booh > pts: Badly formed name (group prefix doesn't match owner?) ; unable to > create group blah:booh > > Clearly this can be circumvented by system:administrator: > > $pts cu blah > User blah has id 100015 > $pts creategroup blah:booh -owner blah > group blah:booh has id -1012 > $pts delete blah > $pts ex blah:booh > Name: blah:booh, id: -1012, owner: 0, creator: megacz, > membership: 0, flags: S-M--, group quota: 0. > > is there a danger in doing this, other than perhaps confusion?
I suspect that the above is a security issue. It means that user 1 can be assigned pts id "foo" and if "foo" is deleted (but not foo's groups) when user 1 leaves the company, then when user 2 comes along and is assigned the unused "foo", s/he will inherit all of the groups that belonged to user 1. I suspect the proper behavior should at some point become that deletion of pts id "foo" should remove all of the groups as well. By intentionally creating groups that are owned by no valid pts id, you increase the chance that such an id would be used for another purpose.
smime.p7s
Description: S/MIME Cryptographic Signature
