group(5) Group Passwords do not work

Teske, Devin Devin.Teske at fisglobal.com
Fri Feb 8 09:47:19 UTC 2013 

On Thu, 7 Feb 2013, Diane Bruce wrote:

> Hi,
> 
> I've been looking at pw & friends for a while when this PR
> was brought to my attention.
> 
> http://www.freebsd.org/cgi/query-pr.cgi?pr=docs/167741
> 
> Right now group passwords in /etc/group are marked with *
> I'm told some linux distributions are marking this as "NOTUSED"
> Clearly our man pages should either be changed to make it much more clear
> that this stuff does not work and will never work in FreeBSD or the
> code should be changed to make it work. ;)

It secretly does work -- but only for those willing to take the plunge and:

WARNING: Not recommended unless you *must* have this functionality...

sudo chmod u+s /usr/bin/newgrp

NOTE: Assuming /usr/bin/newgrp is already owned by root

See newgrp(8) for additional details.



> Mark Saad spent some time
> checking this. If it is stated it is never going to be made to work, by core
> or whatever, some of the code in libutil + pw can be simplified a bit.

newgrp(8) ships without the setuid root bit set for security reasons. It's there to flip for anybody that needs it. Perhaps documentation should be updated to mention this.


> It was also suggested on IRC that it is also possible that some pam
> code does expect group passwords to work or at least passed through.
> 

Nope, not used by PAM.


> How are we to proceed folks?

I'd rather not see this functionality go away -- in my up-coming release of bsdconfig(8) I have a module that supports nearly every aspect of pw(8) including managing group(5) passwords. I see in a later reply to this thread by des that the list includes things besides newgrp(8) and pw(8) ... add bsdconfig(8) to that list by way of pw(8) usage.
-- 
Devin

_____________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

More information about the freebsd-arch mailing list