implications of adding root to a group

Polytropon freebsd at edvax.de
Thu Aug 23 21:21:02 UTC 2012


On Thu, 23 Aug 2012 23:07:04 +0200, Damien Fleuriot wrote:
> 
> On 23 Aug 2012, at 17:26, Steve O'Hara-Smith <steve at sohara.org> wrote:
> 
> > On Thu, 23 Aug 2012 07:51:10 -0700
> > Krims G <krimskrims at gmail.com> wrote:
> > 
> >> Hello, I've been looking at the /etc/group and have noticed that some
> >> groups have root included in them, for example "operator". Is it not
> >> implied that root has access to all things and groups? What is the purpose
> >> of adding root to a group? If I add root to some new arbitrary group, what
> >> does it result in differently than if I do not add root to that group?
> > 
> >    The root user has the ability to ignore file permissions, but not
> > the ability to subvert group membership tests in scripts or programs.
> > 
> > -- 
> > Steve O'Hara-Smith                          |   
> 
> 
> While I can compute what you wrote, I fail to see the implications.
> 
> Would you kindly explain in layman's terms ?

Let's say a script tests (upon execution) if the caller does
belong to a specific group. While root may execute all scripts
and "remove" all barriers, root:wheel will still have "wheel"
as the group. While "root is superior to non-root" is true,
"wheel is superior to non-wheel" does not apply.

In this fictional example, let's assume the script is executable
for a specific non-root user. Obviously, root can override this
and execute it anyway, even if the script is rwx/---/--- for
bob:foo. The script initially tests if the caller is member of
the group "foo" to continue. As root is member of "wheel", and
_not_ of "foo", the test will fail. The script doesn't continue.

Adding root to specific groups allows programs testing for group
membership to recognize the required group. It's comparable to
adding non-root users to "operation groups" like "dialer" or
"operator" to allow them execute scripts and programs that
are executable for the respective group, even though they are
owned by root, like rwx/r-x/---.




-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...


More information about the freebsd-questions mailing list