From max@gw.jmrodgers.com  Tue May 19 13:14:07 1998
Received: from gw.jmrodgers.com (gw.jmrodgers.com [205.247.224.2])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA04538
          for <FreeBSD-gnats-submit@freebsd.org>; Tue, 19 May 1998 13:14:04 -0700 (PDT)
          (envelope-from max@gw.jmrodgers.com)
Received: (from root@localhost)
	by gw.jmrodgers.com (8.8.8/8.8.8) id QAA13225;
	Tue, 19 May 1998 16:13:32 -0400 (EDT)
	(envelope-from max)
Message-Id: <199805192013.QAA13225@gw.jmrodgers.com>
Date: Tue, 19 May 1998 16:13:32 -0400 (EDT)
From: Max Euston <meuston@jmrodgers.com>
Reply-To: Max Euston <meuston@jmrodgers.com>
To: FreeBSD-gnats-submit@freebsd.org
Subject: [Patch] su(1) does not check primary group id
X-Send-Pr-Version: 3.2

>Number:         6696
>Category:       bin
>Synopsis:       su(1) does not check primary group id
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    steve
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue May 19 13:10:00 PDT 1998
>Closed-Date:    Thu Jun 4 15:30:58 PDT 1998
>Last-Modified:  Thu Jun  4 15:31:26 PDT 1998
>Originator:     Max Euston
>Release:        FreeBSD 2.2.5-STABLE i386
>Organization:
>Environment:

	-STABLE (& -CURRENT)

>Description:

su(1) does not allow a user who is a member of group 0 (in /etc/passwd)
to 'su root' unless they are also explicitly listed in /etc/group.

From 'man group':
	A user is automatically in a group if that group was speci-
	fied in their /etc/passwd entry and does not need to be added to that
	group in the /etc/group file.

>How-To-Repeat:

	Add a user to group 0, but don't add them to /etc/group.
	Try to 'su root'.

>Fix:

diff -u /src/usr.bin/su/su.1 ./su.1
--- /src/usr.bin/su/su.1	Fri Feb 20 17:35:16 1998
+++ ./su.1	Tue May 19 12:37:11 1998
@@ -152,13 +152,16 @@
 usually expects a single argument only; you have to quote it when
 passing multiple words.
 .Pp
-Only users listed in group 0 (normally
+Only users who are a member of group 0 (normally
 .Dq wheel )
 can
 .Nm
 to
-.Dq root ,
-unless this group is empty.
+.Dq root .
+\ If group 0 is missing or empty, any user can
+.Nm
+to
+.Dq root .
 .Pp
 By default (unless the prompt is reset by a startup file) the super-user
 prompt is set to

diff -u /src/usr.bin/su/su.c ./su.c
--- /src/usr.bin/su/su.c	Fri Feb 20 17:35:16 1998
+++ ./su.c	Tue May 19 15:36:13 1998
@@ -113,6 +113,7 @@
 	char *p, **g, *user, *shell=NULL, *username, **cleanenv, **nargv, **np;
 	struct group *gr;
 	uid_t ruid;
+	gid_t gid;
 	int asme, ch, asthem, fastlogin, prio, i;
 	enum { UNSET, YES, NO } iscsh = UNSET;
 #ifdef LOGIN_CAP
@@ -198,6 +199,7 @@
 	if (pwd == NULL)
 		errx(1, "who are you?");
 	username = strdup(pwd->pw_name);
+	gid = pwd->pw_gid;
 	if (username == NULL)
 		err(1, NULL);
 	if (asme) {
@@ -249,14 +251,21 @@
 		}
 #endif
 		{
-			/* only allow those in group zero to su to root. */
+			/*
+			 * Only allow those with pw_gid==0 or those listed in
+			 * group zero to su to root.  If group zero entry is
+			 * missing or empty, then allow anyone to su to root.
+			 * iswheelsu will only be set if the user is EXPLICITLY
+			 * listed in group zero.
+			 */
 			if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)) &&
 			    gr->gr_mem && *(gr->gr_mem))
 				for (g = gr->gr_mem;; ++g) {
 					if (!*g)
-						errx(1,
-			    "you are not in the correct group to su %s.",
-						    user);
+						if (gid == 0)
+							break;
+						else
+							errx(1, "you are not in the correct group to su %s.", user);
 					if (strcmp(username, *g) == 0) {
 #ifdef WHEELSU
 						iswheelsu = 1;
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->suspended 
State-Changed-By: phk 
State-Changed-When: Sat May 23 00:42:39 PDT 1998 
State-Changed-Why:  
awaiting committer 
Responsible-Changed-From-To: freebsd-bugs->steve 
Responsible-Changed-By: steve 
Responsible-Changed-When: Sun May 24 20:35:17 PDT 1998 
Responsible-Changed-Why:  
Committed to -current.  I will MFC after the required settling 
period. 
State-Changed-From-To: suspended->closed 
State-Changed-By: steve 
State-Changed-When: Thu Jun 4 15:30:58 PDT 1998 
State-Changed-Why:  
Patch committed to both -current and -stable.  Thanks! 
>Unformatted:
