'pw usermod -G' not removing user from group?
Rick Miller
vmiller at hostileadmin.com
Thu Mar 26 15:37:13 UTC 2015
On Thu, Mar 26, 2015 at 10:24 AM, Matthew Pherigo <hybrid120 at gmail.com>
wrote:
> Thanks for your email, Rick. While I understand the necessity of the
> security-patch-only limitation, I would argue that this issue actually IS a
> security risk, like so:
>
> Case 1: admin needs to add a user to a group. This works correctly.
> Case 2: admin needs to remove a user from a group. This doesn't work, but
> since the admin has just shown that he doesn't need or want this user to be
> part of the group, he won't attempt to access those group resources by the
> user unless he is explicitly testing it. I only noticed this bug because
> Salt had a test case for it.
> Case 3: admin needs to remove one group and add another. The new group is
> added correctly, but the old group is not removed. It's much more likely
> that the addition will be noticed while the failed removal will not.
>
> I would argue that this is much more dangerous than the opposite (Addition
> of groups failing but removal of groups succeeding), as giving an account
> too much privilege is a security risk while an account not having enough
> privilege is simply an inconvenience.
>
Just a quick nitpick...on mailing lists where threads can often be very
lengthy it is generally accepted that inline posting is preferred to
top-posting. This practice helps to maintain the readability of a thread.
That said, after closer inspection, the behavior you described is not
identical to the behavior described and illustrated in the PR referenced.
Chalk it up to me not reading your post closely enough. My apologies.
PR187189 specifically addresses duplicate groups with differing ID's where
the behavior you're experiencing, while similar, does not include duplicate
groups.
You may consider opening a PR for this if one is not already open.
--
Take care
Rick Miller
More information about the freebsd-questions
mailing list