group(5) Group Passwords do not work
Brooks Davis
brooks at freebsd.org
Sun Feb 10 12:08:07 UTC 2013
On Fri, Feb 08, 2013 at 08:47:18AM -0500, Diane Bruce wrote:
> On Fri, Feb 08, 2013 at 09:47:04AM +0000, Teske, Devin wrote:
> > On Thu, 7 Feb 2013, Diane Bruce wrote:
> >
> ...
> >
> > It secretly does work -- but only for those willing to take the plunge and:
> >
> > WARNING: Not recommended unless you *must* have this functionality...
> >
> > sudo chmod u+s /usr/bin/newgrp
> >
> > NOTE: Assuming /usr/bin/newgrp is already owned by root
> >
> > See newgrp(8) for additional details.
>
> Indeed it will work if it is properly setuid root. The question was
> whether we should further deprecate it or document it. ;)
We should document the requirement to add u+s in older branches and
deprecate it with the aim of removing it. It's only usable on single
systems unless you are willing to put the hashes in NIS since there
isn't the possibility of a group password in LDAP. Worse yet, it's
probably only portable in practice with DES hashes which must be exposed
to the user. Finally, even without the problem of the exposed hashes,
any user (even nobody or www) can become a member of the group just by
knowing the shared secret.
Users who want this functionality are probably better served with sudo
and a well designed sudoers configuration. It won't have exactly the
same affordances, but the affordances of newgrp are terrible.
-- Brooks
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 188 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20130210/f7ee10b0/attachment.sig>
More information about the freebsd-arch
mailing list