'pw usermod -G' not removing user from group?

Matthew Pherigo hybrid120 at gmail.com
Thu Mar 26 14:25:02 UTC 2015

Thanks for your email, Rick. While I understand the necessity of the security-patch-only limitation, I would argue that this issue actually IS a security risk, like so:

Case 1: admin needs to add a user to a group. This works correctly.
Case 2: admin needs to remove a user from a group. This doesn't work, but since the admin has just shown that he doesn't need or want this user to be part of the group, he won't attempt to access those group resources by the user unless he is explicitly testing it. I only noticed this bug because Salt had a test case for it.
Case 3: admin needs to remove one group and add another. The new group is added correctly, but the old group is not removed. It's much more likely that the addition will be noticed while the failed removal will not.

I would argue that this is much more dangerous than the opposite (Addition of groups failing but removal of groups succeeding), as giving an account too much privilege is a security risk while an account not having enough privilege is simply an inconvenience.

Hopefully this can be resolved soon.

> On Mar 26, 2015, at 7:28 AM, Rick Miller <vmiller at hostileadmin.com> wrote:
>> On Wed, Mar 25, 2015 at 5:18 PM, Matthew Pherigo <hybrid120 at gmail.com> wrote:
>> Thanks, Rick! It's crazy that they didn't allow it in; seems like a pretty big issue. Hopefully they'll release a patch through FreeBSD-update soon. In the meantime, do you or anyone else know how to work around this?
> I believe it's unlikely to hit releng/10.1, but I could be wrong.  The reason I don't think it will be merged is because RE and/or security officer probably don't believe it fits the criteria for merging into a releng branch, which typically only receive security and errata updates.  That said, because it did get merged into stable/10, it will be included in releng/10.2.
> I merged the patch from stable/10 into our internal development branches so that it would be available in our internal distributions.  It was caught in time so that we did not have to go to great lengths to get it deployed.  It was simply a matter of compiling the distribution.  For systems already installed it is necessary to apply the patch to the sources and recompile and reinstall base.
> -- 
> Take care
> Rick Miller

More information about the freebsd-questions mailing list