From nobody@FreeBSD.org  Sat Jan 11 19:52:42 2014
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1])
	(using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by hub.freebsd.org (Postfix) with ESMTPS id C7BAEC13
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 11 Jan 2014 19:52:42 +0000 (UTC)
Received: from oldred.freebsd.org (oldred.freebsd.org [IPv6:2001:1900:2254:206a::50:4])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mx1.freebsd.org (Postfix) with ESMTPS id 9AEB91D5D
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 11 Jan 2014 19:52:42 +0000 (UTC)
Received: from oldred.freebsd.org ([127.0.1.6])
	by oldred.freebsd.org (8.14.5/8.14.7) with ESMTP id s0BJqgFI053810
	for <freebsd-gnats-submit@FreeBSD.org>; Sat, 11 Jan 2014 19:52:42 GMT
	(envelope-from nobody@oldred.freebsd.org)
Received: (from nobody@localhost)
	by oldred.freebsd.org (8.14.5/8.14.5/Submit) id s0BJqgx4053805;
	Sat, 11 Jan 2014 19:52:42 GMT
	(envelope-from nobody)
Message-Id: <201401111952.s0BJqgx4053805@oldred.freebsd.org>
Date: Sat, 11 Jan 2014 19:52:42 GMT
From: Jason Edwards <sub.mesa@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: Regression for 'pw usermod <user> -G <grouplist>'
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         185666
>Category:       bin
>Synopsis:       pw(8): Regression for 'pw usermod <user> -G <grouplist>' [regression]
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat Jan 11 20:00:00 UTC 2014
>Closed-Date:    
>Last-Modified:  Wed Apr 16 01:12:32 UTC 2014
>Originator:     Jason Edwards
>Release:        10.0-RC3
>Organization:
ZFSguru
>Environment:
FreeBSD zfsguru.bsd 10.0-RC3 FreeBSD 10.0-RC3 #0: Tue Dec 24 02:57:59 UTC 2013     jason@zfsguru:/usr/obj/tmpfs/2-source/sys/OFED-POLLING-ALTQ  amd64
>Description:
The pw(8) manpage states:

     -G grouplist  Set additional group memberships for an account.  grouplist
                   is a comma, space or tab-separated list of group names or
                   group numbers.  The user's name is added to the group lists
                   in /etc/group, and removed from any groups not specified in
                   grouplist.

This works as expected on FreeBSD 9.2-RELEASE where the user is removed from any groups not specified explicitly in the -G grouplist. However, on 10.0-RC1 and 10.0-RC3, I can reproduce 100% a regression where the username is *NOT* removed from the 'old group'. It is only added to the new group.
>How-To-Repeat:
It works as expected on 9.2:

pw useradd testuser
pw groupadd testgroup
pw groupadd testgroup2
pw usermod testuser -G testgroup

# /etc/group section before:
# testuser:*:1001:
# testgroup:*:1002:testuser
# testgroup2:*:1003:

pw usermod testuser -G testgroup2

# /etc/group section after:
# testuser:*:1001:
# testgroup:*:1002:
# testgroup2:*:1003:testuser

However, on 10.0-RC1 and 10.0-RC3 amd64 the behavior is very different; it does not remove the 'old group':

pw useradd testuser
pw groupadd testgroup
pw groupadd testgroup2
pw usermod testuser -G testgroup

# /etc/group section before:
# testuser:*:1004:
# testgroup:*:1005:testuser
# testgroup2:*:1006:

pw usermod testuser -G testgroup2

# /etc/group section after:
# testuser:*:1004:
# testgroup:*:1005:testuser
# testgroup2:*:1006:testuser
>Fix:
Workaround is to use 'groupmod' instead, to achieve a rough equivalent:

# remove <username> from the group <oldgroup>
pw groupmod <oldgroup> -d <username>
# add <username> to the group <newgroup>
pw groupmod <newgroup> -m <username>

Of course, the usermod -G command is superior, because it removes the user from all groups not specified explicitly.

>Release-Note:
>Audit-Trail:
>Unformatted:
