Re: su root broken in -CURRENT
I have the PR, and I will fix this :-) M > > On Tue, 31 Jul 2001, Terry Lambert wrote: > > > The reason for this is that the pam code for doing the enforcement > > is being trusted utterly. In the past, we would consider both > > the primary group (the group from the passwd file entry), and the > > auxillary groups (the groups from the groups file entries, if any), > > as synonymous. With the pam code being used, we no longer consider > > the primary group to be on the same par as the groups file entries. > > I can pin this down at r1.26 of su.c > (Mon May 25 03:34:52 1998 UTC (3 years, 2 months ago) by steve) > > Prior to this date only appearance in /etc/group was considered. > > The change occurred in response to PR bin/6696 > > Like terry, I prefer the semantics whereby the users primary > group is considered. Three years of precedent should be sufficient > to have this change to pam_wheel.c, I hope, before PAM use in su > is MFC'd. > > I have just entered a PR on this. > > cc'd to: markm > > Joshua > > -- Mark Murray Warning: this .sig is umop ap!sdn To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: su root broken in -CURRENT
On Tue, 31 Jul 2001, Terry Lambert wrote: > The reason for this is that the pam code for doing the enforcement > is being trusted utterly. In the past, we would consider both > the primary group (the group from the passwd file entry), and the > auxillary groups (the groups from the groups file entries, if any), > as synonymous. With the pam code being used, we no longer consider > the primary group to be on the same par as the groups file entries. I can pin this down at r1.26 of su.c (Mon May 25 03:34:52 1998 UTC (3 years, 2 months ago) by steve) Prior to this date only appearance in /etc/group was considered. The change occurred in response to PR bin/6696 Like terry, I prefer the semantics whereby the users primary group is considered. Three years of precedent should be sufficient to have this change to pam_wheel.c, I hope, before PAM use in su is MFC'd. I have just entered a PR on this. cc'd to: markm Joshua To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: su root broken in -CURRENT
On 31-Jul-01 Terry Lambert wrote: > Sheldon Hearn wrote: >> > The FreeBSD 4.3 manpage says: >> > Only users who are a member of group 0 (normally ``wheel'') can su to >> > ``root''. If group 0 is missing or empty, any user can su to >> > ``root''. >> >> I guess that could (at a stretch) be interpreted the same as OpenBSD's >> behaviour. >> >> I guess I'll withdraw my complaint, since it just boils down to "the >> behaviour changed!" now. > > The reason for this is that the pam code for doing the enforcement > is being trusted utterly. In the past, we would consider both > the primary group (the group from the passwd file entry), and the > auxillary groups (the groups from the groups file entries, if any), > as synonymous. With the pam code being used, we no longer consider > the primary group to be on the same par as the groups file entries. > > IMO, this is bad, and should be fixed: the OpenBSD code is just > a rationalization of the behaviour forced when you don't consider > the user's primary group. > > It seems very odd to me that the primary group is ignored, while > the auxillary group memberships are what determines whether or > not it's possible for a person to su... call me crazy, but I think > it's the job of the interface to rationalize this, so that the > _most significant group membership_ is not ignored. I agree. The only people who want this are those who think a wheel group is a sign of oppresion and don't want to limit the availability of 'su' to just wheel users. At least that seems to be the only reason the check is there. You could still achieve that by not having any users have wheel as their primary group. -- John Baldwin <[EMAIL PROTECTED]> -- http://www.FreeBSD.org/~jhb/ PGP Key: http://www.baldwin.cx/~john/pgpkey.asc "Power Users Use the Power to Serve!" - http://www.FreeBSD.org/ To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: su root broken in -CURRENT
Sheldon Hearn wrote: > > The FreeBSD 4.3 manpage says: > > Only users who are a member of group 0 (normally ``wheel'') can su to > > ``root''. If group 0 is missing or empty, any user can su to > > ``root''. > > I guess that could (at a stretch) be interpreted the same as OpenBSD's > behaviour. > > I guess I'll withdraw my complaint, since it just boils down to "the > behaviour changed!" now. The reason for this is that the pam code for doing the enforcement is being trusted utterly. In the past, we would consider both the primary group (the group from the passwd file entry), and the auxillary groups (the groups from the groups file entries, if any), as synonymous. With the pam code being used, we no longer consider the primary group to be on the same par as the groups file entries. IMO, this is bad, and should be fixed: the OpenBSD code is just a rationalization of the behaviour forced when you don't consider the user's primary group. It seems very odd to me that the primary group is ignored, while the auxillary group memberships are what determines whether or not it's possible for a person to su... call me crazy, but I think it's the job of the interface to rationalize this, so that the _most significant group membership_ is not ignored. -- Terry To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: su root broken in -CURRENT
On Tue, 31 Jul 2001 05:35:00 +0100, Joshua Goodall wrote: > The FreeBSD 4.3 manpage says: > Only users who are a member of group 0 (normally ``wheel'') can su to > ``root''. If group 0 is missing or empty, any user can su to > ``root''. I guess that could (at a stretch) be interpreted the same as OpenBSD's behaviour. I guess I'll withdraw my complaint, since it just boils down to "the behaviour changed!" now. Ciao, Sheldon. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: su root broken in -CURRENT
On Thu, 26 Jul 2001, Sheldon Hearn wrote: > On Wed, 25 Jul 2001 19:20:45 MST, Kris Kennaway wrote: > > > Isn't this backwards? Code shouldn't be making assumptions about the > > special meaning of numeric gids. What if you wanted to renumber gid > > wheel to something else? > > So? My primary group is 0. In /etc/group, group wheel's numeric value > is 0. The FreeBSD 4.3 manpage says: Only users who are a member of group 0 (normally ``wheel'') can su to ``root''. If group 0 is missing or empty, any user can su to ``root''. The OpenBSD-current manpage says (more explicitly): If group 0 (normally ``wheel'') has users listed then only those users can su to ``root''. It is not sufficient to change a user's /etc/passwd entry to add them to the ``wheel'' group; they must explicitly be listed in /etc/group. If no one is in the ``wheel'' group, it is ignored, and anyone who knows the root password is permitted to su to ``root''. The FreeBSD -CURRENT manpage doesn't mention wheel at all, referring the reader to pam.conf to work out the semantics. I think this is a loss - the defaults for su in pam.conf should at least be covered in the manpage. Joshua To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: su root broken in -CURRENT
On Wed, 25 Jul 2001 19:20:45 MST, Kris Kennaway wrote: > Isn't this backwards? Code shouldn't be making assumptions about the > special meaning of numeric gids. What if you wanted to renumber gid > wheel to something else? So? My primary group is 0. In /etc/group, group wheel's numeric value is 0. Ciao, Sheldon. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
Re: su root broken in -CURRENT
On Thu, Jul 26, 2001 at 03:46:15AM +0200, Sheldon Hearn wrote: > > > On Thu, 26 Jul 2001 03:15:38 +0200, Sheldon Hearn wrote: > > > I've completed a pretty clean crossgrade [1] to -CURRENT and find that > > su is broken. I thought this had been fixed. > > > > I have a virgin rev 1.17 /etc/pam.conf, I'm in group wheel, I built > > world with no funky options, the su binary (built from su rev 1.39) > > really is setuid root and yet I get the amazingly helpful error message: > > > >su: Sorry > > Found it. pam_wheel is a whore. It doesn't use getgid() or getegid(), > but instead grovels through /etc/group manually. > > I'm in group wheel by virtue of the fact that my GID specified in the > passwd file is 0. I don't have to be in /etc/group. > > Unless, of course, I want to su. :-) Isn't this backwards? Code shouldn't be making assumptions about the special meaning of numeric gids. What if you wanted to renumber gid wheel to something else? Kris PGP signature
Re: su root broken in -CURRENT
On Thu, 26 Jul 2001 03:15:38 +0200, Sheldon Hearn wrote: > I've completed a pretty clean crossgrade [1] to -CURRENT and find that > su is broken. I thought this had been fixed. > > I have a virgin rev 1.17 /etc/pam.conf, I'm in group wheel, I built > world with no funky options, the su binary (built from su rev 1.39) > really is setuid root and yet I get the amazingly helpful error message: > >su: Sorry Found it. pam_wheel is a whore. It doesn't use getgid() or getegid(), but instead grovels through /etc/group manually. I'm in group wheel by virtue of the fact that my GID specified in the passwd file is 0. I don't have to be in /etc/group. Unless, of course, I want to su. :-) Ciao, Sheldon. To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message
su root broken in -CURRENT
Hi folks, I've completed a pretty clean crossgrade [1] to -CURRENT and find that su is broken. I thought this had been fixed. I have a virgin rev 1.17 /etc/pam.conf, I'm in group wheel, I built world with no funky options, the su binary (built from su rev 1.39) really is setuid root and yet I get the amazingly helpful error message: su: Sorry without being prompted for a password. /var/log/messages contains the infinitely more helpful error message su: pam_authenticate: Permission denied So what's up? Ciao, Sheldon. [1] I can't bring myself to call the process of converting from 4.3-STABLE to 5.0-CURRENT an "upgrade". To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message