From glebius@cell.sick.ru  Sat May  4 00:10:43 2002
Return-Path: <glebius@cell.sick.ru>
Received: from cell.sick.ru (cell.sick.ru [195.91.162.238])
	by hub.freebsd.org (Postfix) with ESMTP id B549B37B41B
	for <FreeBSD-gnats-submit@freebsd.org>; Sat,  4 May 2002 00:10:42 -0700 (PDT)
Received: from cell.sick.ru (localhost [127.0.0.1])
	by cell.sick.ru (8.12.3/8.12.3) with ESMTP id g447AdMF040271
	(version=TLSv1/SSLv3 cipher=EDH-RSA-DES-CBC3-SHA bits=168 verify=NO)
	for <FreeBSD-gnats-submit@freebsd.org>; Sat, 4 May 2002 11:10:40 +0400 (MSD)
	(envelope-from glebius@cell.sick.ru)
Received: (from glebius@localhost)
	by cell.sick.ru (8.12.3/8.12.3/Submit) id g447Aclt040270;
	Sat, 4 May 2002 11:10:39 +0400 (MSD)
Message-Id: <200205040710.g447Aclt040270@cell.sick.ru>
Date: Sat, 4 May 2002 11:10:39 +0400 (MSD)
From: Gleb Smirnoff <glebius@cell.sick.ru>
Reply-To: Gleb Smirnoff <glebius@cell.sick.ru>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: su(1) does not behave the way it is described in man
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         37733
>Category:       bin
>Synopsis:       su(1) does not behave the way it is described in man
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sat May 04 00:20:01 PDT 2002
>Closed-Date:    Sat Jan 26 01:00:43 UTC 2008
>Last-Modified:  Sat Jan 26 01:00:43 UTC 2008
>Originator:     Gleb Smirnoff
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
RiNet ISP
>Environment:
System: FreeBSD cell.sick.ru 4.5-STABLE FreeBSD 4.5-STABLE #0: Tue Apr 30 19:19:30 MSD 2002 glebius@cell.sick.ru:/usr/obj/usr/src/sys/NUCLEUS i386


	
>Description:
	As it is mentioned in manpage su(1) :

     Only users who are a member of group 0 (normally ``wheel'') can su to
     ``root''.   If group 0 is missing or empty, any user can su to ``root''.

	But if user is not listed in group wheel and his primary group is 0,
	he is allowed to su root. As it is said in comment in su.c, this
	is the desired behavior. This is quite different to manpage.

>How-To-Repeat:
	Set users primary group to 0, delete him from wheel in /etc/group.
	Try su.
>Fix:
	The current su's behavior always gives possibility to become root
	to all wheel members. I suppose it'll be better to make su work like
	it is described in man. Then one can have wheel rights (to read
	logs etc.), but cannot become root, if he has primary uid 0 and is
	not explicitly listed in /etc/group.
	Here is the fix:

--- su.c.orig	Sat May  4 11:08:40 2002
+++ su.c	Sat May  4 11:09:01 2002
@@ -254,9 +254,6 @@
 			    gr->gr_mem && *(gr->gr_mem))
 				for (g = gr->gr_mem;; ++g) {
 					if (!*g) {
-						if (gid == 0)
-							break;
-						else
 							errx(1,
 			     "you are not in the correct group (%s) to su %s.",
 							    gr->gr_name,
>Release-Note:
>Audit-Trail:

From: Ceri Davies <setantae@submonkey.net>
To: Gleb Smirnoff <glebius@cell.sick.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.org
Subject: Re: bin/37733: su(1) does not behave the way it is described in man
Date: Sat, 4 May 2002 14:53:01 +0100

 On Sat, May 04, 2002 at 11:10:39AM +0400, Gleb Smirnoff wrote:
 
 > 	But if user is not listed in group wheel and his primary group is 0,
 > 	he is allowed to su root. As it is said in comment in su.c, this
 > 	is the desired behavior. This is quite different to manpage.
 
 If your primary group is 0, then you *are* in wheel (which is the group with
 gid 0).
 
 Ceri
 
 -- 
 get the cool shoe shine

From: Gleb Smirnoff <glebius@cell.sick.ru>
To: Ceri Davies <setantae@submonkey.net>,
	FreeBSD-gnats-submit@FreeBSD.org
Cc:  
Subject: Re: bin/37733: su(1) does not behave the way it is described in man
Date: Sat, 4 May 2002 19:34:01 +0400

 On Sat, May 04, 2002 at 02:53:01PM +0100, Ceri Davies wrote:
 C> > 	But if user is not listed in group wheel and his primary group is 0,
 C> > 	he is allowed to su root. As it is said in comment in su.c, this
 C> > 	is the desired behavior. This is quite different to manpage.
 C> 
 C> If your primary group is 0, then you *are* in wheel (which is the group with
 C> gid 0).
 
 So there is no way to give user wheel rights (for reading many files and logs),
 but do not permit him to su root?
 
 btw, OpenBSD's su behaves exactly the way described in man: it allows to
 su root only users listed in wheel group in /etc/group.
 
 -- 
 Totus tuus, Glebius.
 GLEBIUS-RIPN GLEB-RIPE

From: "Crist J. Clark" <cjc@FreeBSD.ORG>
To: Gleb Smirnoff <glebius@cell.sick.ru>
Cc: FreeBSD-gnats-submit@FreeBSD.ORG
Subject: Re: bin/37733: su(1) does not behave the way it is described in man
Date: Sat, 4 May 2002 12:35:40 -0700

 On Sat, May 04, 2002 at 11:10:39AM +0400, Gleb Smirnoff wrote:
 [snip]
 
 > >Description:
 > 	As it is mentioned in manpage su(1) :
 > 
 >      Only users who are a member of group 0 (normally ``wheel'') can su to
 >      ``root''.   If group 0 is missing or empty, any user can su to ``root''.
 > 
 > 	But if user is not listed in group wheel and his primary group is 0,
 > 	he is allowed to su root. As it is said in comment in su.c, this
 > 	is the desired behavior. This is quite different to manpage.
 
 This is kind of funny. The person who add this feature was added to
 su(1) did so because some one submitted a PR and they thought it was
 _more_ consistent with the manpages,
 
   revision 1.26
   date: 1998/05/25 03:34:52;  author: steve;  state: Exp;  lines: +14 -5
   Allow a user in group 0 to su(1) to root if their primary
   group is 0 in /etc/passwd even if they aren't listed
   as a member in /etc/group.  This is more inline with
   what the group manpage says.
 
   PR:             6696
   Submitted by:   Max Euston <meuston@jmrodgers.com>
 
 Have a look at the argument in that PR.
 -- 
 Crist J. Clark                     |     cjclark@alum.mit.edu
                                    |     cjclark@jhu.edu
 http://people.freebsd.org/~cjc/    |     cjc@freebsd.org
State-Changed-From-To: open->closed 
State-Changed-By: linimon 
State-Changed-When: Sat Jan 26 00:54:41 UTC 2008 
State-Changed-Why:  
It sounds to me like su does indeed describe the current behavior. 
If your primary group is 0, then indeed you are in group 0 :-)  I read 
it as /etc/groups being _additional_ groups that a user is in. 

If there is a need to create a group which can read but not modify 
logs, then IMHO that's a local site decision and it should be a group 
other than group 0.  Changing the meaning of group 0 would be a POLA 
violation (at least at lonesome.com). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=37733 
>Unformatted:
