Subject: Re: CVS commit: basesrc
To: Simon J. Gerraty <sjg@netbsd.org>
From: Jim Wise <jwise@draga.com>
List: source-changes
Date: 01/10/2001 16:35:12
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Please do _not_ make this the default without further discussion, as you
have potentially just changed the set of users who can su to root on the
systems of all people tracking -current.  Without warning.

It is entirely possible for people to have names in `wheel' without
wanting the group of that name to be able to `su' to root (hint: think
of sites using NIS/HESIOD/whatever, where not all users exist on all
machines but the same /etc/group does).

This also breaks the general meaning of /etc/group in a weird way -- su
is _not_ the only program which examines this file.  Leaving aside the
above, I think this alone is a good reason to find some _other_
mechanism to get the result you want.

tech-security is a fair place to discuss this change.  In the mean
time, please BACK IT OUT.

Thanks,

On Wed, 10 Jan 2001, Simon J. Gerraty wrote:

>
>Module Name:	basesrc
>Committed By:	sjg
>Date:		Wed Jan 10 21:33:13 UTC 2001
>
>Modified Files:
>	basesrc/usr.bin/su: Makefile su.1 su.c
>
>Log Message:
>If SU_INDIRECT_GROUP is defined (it is by default), then su will
>consider that SUGROUP and ROOTAUTH group contain the names of
>users and groups.  If user is not found in the list check_ingroup()
>recurses on each member until either user is found or end of chain
>is reached.
>
>The above allows su's use of the wheel group to be extended to a large
>number of users without necessarily putting them in group wheel, and
>in a way that will work over NIS that simply extending the line length
>limit in getgrent.c cannot.
>
>
>To generate a diff of this commit:
>cvs rdiff -r1.24 -r1.25 basesrc/usr.bin/su/Makefile
>cvs rdiff -r1.19 -r1.20 basesrc/usr.bin/su/su.1
>cvs rdiff -r1.45 -r1.46 basesrc/usr.bin/su/su.c
>
>Please note that diffs are not public domain; they are subject to the
>copyright notices on the relevant files.
>

- -- 
				Jim Wise
				jwise@draga.com

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.4 (NetBSD)
Comment: For info see http://www.gnupg.org

iD8DBQE6XNWW2JhG4/qi8rQRAp1sAJ0fXl5wBDWGcTTFnuUYPjocvZQCQQCfd0Nk
o4k/jWZyYs4V7o6quMT1VaE=
=cL4A
-----END PGP SIGNATURE-----