From msaad@blindness.ops.about.com  Wed May  9 16:15:00 2012
Return-Path: <msaad@blindness.ops.about.com>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 4279B106566B
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 May 2012 16:15:00 +0000 (UTC)
	(envelope-from msaad@blindness.ops.about.com)
Received: from smtpapps.about.com (smtpapps.about.com [207.241.149.197])
	by mx1.freebsd.org (Postfix) with SMTP id DCB328FC0C
	for <FreeBSD-gnats-submit@freebsd.org>; Wed,  9 May 2012 16:14:59 +0000 (UTC)
Received: (qmail 51443 invoked from network); 9 May 2012 16:08:18 -0000
Received: from 209.66.78.50.available.above.net (HELO blindness.ops.about.com) (209.66.78.50)
  by smtpapps.about.com with SMTP; 9 May 2012 16:08:18 -0000
Received: from blindness.ops.about.com (localhost [127.0.0.1])
	by blindness.ops.about.com (8.14.5/8.14.5) with ESMTP id q49G8HbG036794
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 9 May 2012 12:08:18 -0400 (EDT)
	(envelope-from msaad@blindness.ops.about.com)
Received: (from root@localhost)
	by blindness.ops.about.com (8.14.5/8.14.5/Submit) id q49G7sEl031762;
	Wed, 9 May 2012 12:07:54 -0400 (EDT)
	(envelope-from msaad)
Message-Id: <201205091607.q49G7sEl031762@blindness.ops.about.com>
Date: Wed, 9 May 2012 12:07:54 -0400 (EDT)
From: Mark Saad <msaad@about.com>
Reply-To: Mark Saad <msaad@about.com>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: Group Passwords do not work and are not documented properly
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         167741
>Category:       docs
>Synopsis:       group(5): Group Passwords do not work and are not documented properly
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-doc
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          doc-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed May 09 16:20:11 UTC 2012
>Closed-Date:    Thu Jul 11 12:47:30 UTC 2013
>Last-Modified:  Thu Jul 11 12:50:02 UTC 2013
>Originator:     Mark Saad
>Release:        FreeBSD 9.0-STABLE amd64
>Organization:
About.com
>Environment:
System: FreeBSD blindness.ops.about.com 9.0-STABLE FreeBSD 9.0-STABLE #2: Tue Apr 10 11:32:01 EDT 2012 root@blindness.ops.about.com:/usr/obj/usr/src/sys/GENERIC amd64


>Description:
	Group Password support appears to be broken , as well as the man pages for group, newgrp, groups do not mention how to use
it.  Eitan Adler noted this is a docs bug however , following his instructions , which appear to be correct do not work. 
>How-To-Repeat:


root@blindness:~# pw groupadd testgroup
root@blindness:~# pw group mod testgroup -h 0
New password for group testgroup:   <Enter the passowrd: blahblahblah>
root@blindness:~# exit
logout
msaad@blindness:~% newgrp testgroup
Password:
newgrp: setgid: Operation not permitted
msaad@blindness:~%

>Fix:

Part 1. 
  In the group man page man 5 group in the SEE ALSO section should include a refrence to newgrp(1) 
In the man page for newgrp(1) an example of how to set a group passowrd should be included. 
Something similar to my example . 

Part 2. 
   The group password option fails to work, with the users unable to call setgid. A part of a truss of the process is below.


Truss Output

write(3,"Password:",9)                           = 9 (0x9)
read(3,"a",1)                                    = 1 (0x1)
read(3,"\n",1)                                   = 1 (0x1)
write(3,"\n",1)                                  = 1 (0x1)
ioctl(3,TIOCSETAF,0xffffd660)                    = 0 (0x0)
sigaction(SIGALRM,{ SIG_DFL 0x0 ss_t },0x0)      = 0 (0x0)
sigaction(SIGHUP,{ SIG_DFL 0x0 ss_t },0x0)       = 0 (0x0)
sigaction(SIGINT,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
sigaction(SIGQUIT,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
sigaction(SIGPIPE,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
sigaction(SIGTERM,{ SIG_DFL SA_RESTART|SA_SIGINFO ss_t },0x0) = 0 (0x0)
sigaction(SIGTSTP,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
sigaction(SIGTTIN,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
sigaction(SIGTTOU,{ SIG_DFL SA_RESTART ss_t },0x0) = 0 (0x0)
close(3)                                         = 0 (0x0)
open("/etc/auth.conf",O_RDONLY,0141)             = 3 (0x3)
read(3,"#\n# $FreeBSD: src/etc/auth.conf"...,4096) = 237 (0xed)
read(3,0x7fffffffc670,4096)                      = 0 (0x0)
close(3)                                         = 0 (0x0)
__sysctl(0x7fffffffd950,0x2,0x7fffffffd96c,0x7fffffffd960,0x0,0x0) = 0 (0x0)
getgroups(0x400,0x801041000,0x801000658,0x42,0x601f48,0xffffffff) = 3 (0x3)
seteuid(0x3ea,0x801041008,0x3,0x3,0x601f48,0xffffffff) = 0 (0x0)
setgid(0x3eb,0x801041008,0x3,0x3,0x601f48,0xffffffff) ERR#1 'Operation not permitted'
getuid()                                         = 1002 (0x3ea)
seteuid(0x3ea,0x801041008,0xffffffffffffffff,0x1,0x601f48,0xffffffff) = 0 (0x0)
write(2,"newgrp: ",8)                            = 8 (0x8)
write(2,"setgid",6)                              = 6 (0x6)
write(2,": ",2)                                  = 2 (0x2)
stat("/usr/share/nls/C/libc.cat",0x7fffffffd330) ERR#2 'No such file or directory'
stat("/usr/share/nls/libc/C",0x7fffffffd330)     ERR#2 'No such file or directory'
stat("/usr/local/share/nls/C/libc.cat",0x7fffffffd330) ERR#2 'No such file or directory'
stat("/usr/local/share/nls/libc/C",0x7fffffffd330) ERR#2 'No such file or directory'
write(2,"Operation not permitted\n",24)          = 24 (0x18)
seteuid(0x3ea,0x7fffffffd210,0x0,0x18,0x7ff7ff2af0d6,0xffffffff) = 0 (0x0)
getuid()                                         = 1002 (0x3ea)
setuid(0x3ea,0x7fffffffd210,0x0,0x18,0x7ff7ff2af0d6,0xffffffff) = 0 (0x0)
execve("/bin/csh",<missing argument>,<missing argument>) = 0 (0x0)
mmap(0x0,32768,PROT_READ|PROT_WRITE,MAP_PRIVATE|MAP_ANON,-1,0x0) = 34366480384 (0x80066e000)
issetugid(0x80086ea20,0x7fffffffefd7,0x40,0x0,0xffff80080086fa49,0x0) = 0 (0x0)
open("/etc/libmap.conf",O_RDONLY,041603500)      ERR#2 'No such file or directory'
open("/var/run/ld-elf.so.hints",O_RDONLY,057)    = 3 (0x3)
read(3,"Ehnt\^A\0\0\0\M^@\0\0\0\M-a\0\0"...,128) = 128 (0x80)
lseek(3,0x80,SEEK_SET)   




>Release-Note:
>Audit-Trail:

From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: freebsd-gnats-submit@freebsd.org 
Cc:  
Subject: docs/167741
Date: Fri, 08 Feb 2013 09:32:59 +0100

 newgrp(1) fails because it is not setuid root out of the box.  You have
 to "chmod u+s /usr/bin/newgrp".  This is intentional, cf. the last
 paragraph of the man page.
 
 DES
 --=20
 Dag-Erling Sm=C3=B8rgrav - des@des.no

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/167741: commit references a PR
Date: Fri,  8 Feb 2013 14:14:13 +0000 (UTC)

 Author: des
 Date: Fri Feb  8 14:14:00 2013
 New Revision: 246553
 URL: http://svnweb.freebsd.org/changeset/base/246553
 
 Log:
   Print a warning if not setuid root.
   Document the need for the setuid bit and how to set it.
   Explain why it isn't set by default, and suggest simply adding users
   to groups instead.
   
   PR:		docs/167741
   MFC after:	3 weeks
 
 Modified:
   head/usr.bin/newgrp/newgrp.1
   head/usr.bin/newgrp/newgrp.c
 
 Modified: head/usr.bin/newgrp/newgrp.1
 ==============================================================================
 --- head/usr.bin/newgrp/newgrp.1	Fri Feb  8 14:11:12 2013	(r246552)
 +++ head/usr.bin/newgrp/newgrp.1	Fri Feb  8 14:14:00 2013	(r246553)
 @@ -24,7 +24,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd May 23, 2002
 +.Dd February 8, 2013
  .Dt NEWGRP 1
  .Os
  .Sh NAME
 @@ -90,6 +90,15 @@ A
  utility appeared in
  .At v6 .
  .Sh BUGS
 +For security reasons, the
 +.Nm
 +utility is normally installed without the setuid bit.
 +To enable it, run the following command:
 +.Bd -literal -offset indent
 +chmod u+s /usr/bin/newgrp
 +.Ed
 +.Pp
  Group passwords are inherently insecure as there is no way to stop
 -users obtaining the crypted passwords from the group database.
 +users obtaining the password hash from the group database.
  Their use is discouraged.
 +Instead, users should simply be added to the necessary groups.
 
 Modified: head/usr.bin/newgrp/newgrp.c
 ==============================================================================
 --- head/usr.bin/newgrp/newgrp.c	Fri Feb  8 14:11:12 2013	(r246552)
 +++ head/usr.bin/newgrp/newgrp.c	Fri Feb  8 14:14:00 2013	(r246553)
 @@ -73,7 +73,8 @@ main(int argc, char *argv[])
  {
  	int ch, login;
  
 -	euid = geteuid();
 +	if ((euid = geteuid()) != 0)
 +		warnx("need root permissions to function properly, check setuid bit");
  	if (seteuid(getuid()) < 0)
  		err(1, "seteuid");
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/167741: commit references a PR
Date: Fri,  8 Feb 2013 14:11:25 +0000 (UTC)

 Author: des
 Date: Fri Feb  8 14:11:12 2013
 New Revision: 246552
 URL: http://svnweb.freebsd.org/changeset/base/246552
 
 Log:
   Cross-reference newgrp(1), and document the use of pw(8) to set the group
   password.
   
   PR:		docs/167741
   MFC after:	3 weeks
 
 Modified:
   head/share/man/man5/group.5
 
 Modified: head/share/man/man5/group.5
 ==============================================================================
 --- head/share/man/man5/group.5	Fri Feb  8 12:53:29 2013	(r246551)
 +++ head/share/man/man5/group.5	Fri Feb  8 14:11:12 2013	(r246552)
 @@ -32,7 +32,7 @@
  .\"     From: @(#)group.5	8.3 (Berkeley) 4/19/94
  .\" $FreeBSD$
  .\"
 -.Dd September 29, 1994
 +.Dd February 8, 2013
  .Dt GROUP 5
  .Os
  .Sh NAME
 @@ -139,6 +139,7 @@ may still have this limit.
  .It Pa /etc/group
  .El
  .Sh SEE ALSO
 +.Xr newgrp 1 ,
  .Xr passwd 1 ,
  .Xr setgroups 2 ,
  .Xr crypt 3 ,
 @@ -156,9 +157,14 @@ file format appeared in
  .At v6 .
  Support for comments first appeared in
  .Fx 3.0 .
 -.Sh BUGS
 +.Sh IMPLEMENTATION NOTES
  The
  .Xr passwd 1
  command does not change the
  .Nm
  passwords.
 +The
 +.Xr pw 8
 +utility's
 +.Cm groupmod
 +command should be used instead.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: des 
State-Changed-When: Thu Jul 11 12:47:29 UTC 2013 
State-Changed-Why:  
fixed in head and stable/9 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167741 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/167741: commit references a PR
Date: Thu, 11 Jul 2013 12:47:19 +0000 (UTC)

 Author: des
 Date: Thu Jul 11 12:47:06 2013
 New Revision: 253205
 URL: http://svnweb.freebsd.org/changeset/base/253205
 
 Log:
   MFH (r246553): document and explain need for setuid bit.
   
   PR:		docs/167741
 
 Modified:
   stable/9/usr.bin/newgrp/newgrp.1
   stable/9/usr.bin/newgrp/newgrp.c
 Directory Properties:
   stable/9/usr.bin/newgrp/   (props changed)
 
 Modified: stable/9/usr.bin/newgrp/newgrp.1
 ==============================================================================
 --- stable/9/usr.bin/newgrp/newgrp.1	Thu Jul 11 12:46:35 2013	(r253204)
 +++ stable/9/usr.bin/newgrp/newgrp.1	Thu Jul 11 12:47:06 2013	(r253205)
 @@ -24,7 +24,7 @@
  .\"
  .\" $FreeBSD$
  .\"
 -.Dd May 23, 2002
 +.Dd February 8, 2013
  .Dt NEWGRP 1
  .Os
  .Sh NAME
 @@ -90,6 +90,15 @@ A
  utility appeared in
  .At v6 .
  .Sh BUGS
 +For security reasons, the
 +.Nm
 +utility is normally installed without the setuid bit.
 +To enable it, run the following command:
 +.Bd -literal -offset indent
 +chmod u+s /usr/bin/newgrp
 +.Ed
 +.Pp
  Group passwords are inherently insecure as there is no way to stop
 -users obtaining the crypted passwords from the group database.
 +users obtaining the password hash from the group database.
  Their use is discouraged.
 +Instead, users should simply be added to the necessary groups.
 
 Modified: stable/9/usr.bin/newgrp/newgrp.c
 ==============================================================================
 --- stable/9/usr.bin/newgrp/newgrp.c	Thu Jul 11 12:46:35 2013	(r253204)
 +++ stable/9/usr.bin/newgrp/newgrp.c	Thu Jul 11 12:47:06 2013	(r253205)
 @@ -73,7 +73,8 @@ main(int argc, char *argv[])
  {
  	int ch, login;
  
 -	euid = geteuid();
 +	if ((euid = geteuid()) != 0)
 +		warnx("need root permissions to function properly, check setuid bit");
  	if (seteuid(getuid()) < 0)
  		err(1, "seteuid");
  
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: docs/167741: commit references a PR
Date: Thu, 11 Jul 2013 12:49:25 +0000 (UTC)

 Author: des
 Date: Thu Jul 11 12:49:12 2013
 New Revision: 253206
 URL: http://svnweb.freebsd.org/changeset/base/253206
 
 Log:
   MFH (r246552): mention newgrp(1) and how to change the group password.
   
   PR:		docs/167741
 
 Modified:
   stable/9/share/man/man5/group.5
 Directory Properties:
   stable/9/share/man/man5/   (props changed)
 
 Modified: stable/9/share/man/man5/group.5
 ==============================================================================
 --- stable/9/share/man/man5/group.5	Thu Jul 11 12:47:06 2013	(r253205)
 +++ stable/9/share/man/man5/group.5	Thu Jul 11 12:49:12 2013	(r253206)
 @@ -32,7 +32,7 @@
  .\"     From: @(#)group.5	8.3 (Berkeley) 4/19/94
  .\" $FreeBSD$
  .\"
 -.Dd September 29, 1994
 +.Dd February 8, 2013
  .Dt GROUP 5
  .Os
  .Sh NAME
 @@ -139,6 +139,7 @@ may still have this limit.
  .It Pa /etc/group
  .El
  .Sh SEE ALSO
 +.Xr newgrp 1 ,
  .Xr passwd 1 ,
  .Xr setgroups 2 ,
  .Xr crypt 3 ,
 @@ -156,9 +157,14 @@ file format appeared in
  .At v6 .
  Support for comments first appeared in
  .Fx 3.0 .
 -.Sh BUGS
 +.Sh IMPLEMENTATION NOTES
  The
  .Xr passwd 1
  command does not change the
  .Nm
  passwords.
 +The
 +.Xr pw 8
 +utility's
 +.Cm groupmod
 +command should be used instead.
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
>Unformatted:
