As per discussion with mrg, back out parts of previous change.
The appropriate entry in /etc/group as returned by getgrnam() is used to determine if 'su root' may be permitted, rather than checking if membership exists in the result of getgroups(). The following changes were made regarding the behaviour of the special group for 'su root' * allow for definition of SUGROUP (defaults to "wheel") to override group name. * use getgrnam(SUGROUP) instead of getgrgid(0). * only scan getgrnam(SUGROUP)->gr_mem when checking for group membership. * be more specific as to why 'su root' failed NOTE: If a user's primary group is SUGROUP, and they're not a member of SUGROUP in /etc/group, they will not be able to su.
This commit is contained in:
parent
31a2bdc622
commit
aaa55367ba
|
@ -1,4 +1,4 @@
|
|||
# $NetBSD: Makefile,v 1.9 1997/01/09 20:21:40 tls Exp $
|
||||
# $NetBSD: Makefile,v 1.10 1997/07/02 05:42:11 lukem Exp $
|
||||
# from: @(#)Makefile 8.1 (Berkeley) 7/19/93
|
||||
|
||||
PROG= su
|
||||
|
@ -6,6 +6,10 @@ BINOWN= root
|
|||
BINMODE=4555
|
||||
INSTALLFLAGS=-fschg
|
||||
|
||||
# Uncomment the following line to change the group that may su root to "sugroup"
|
||||
#
|
||||
#CFLAGS+=-DSUGROUP=\"sugroup\"
|
||||
|
||||
.include <bsd.prog.mk>
|
||||
|
||||
.ifdef SKEY
|
||||
|
|
|
@ -30,7 +30,7 @@
|
|||
.\" SUCH DAMAGE.
|
||||
.\"
|
||||
.\" from: @(#)su.1 8.2 (Berkeley) 4/18/94
|
||||
.\" $NetBSD: su.1,v 1.12 1997/06/27 17:01:53 lukem Exp $
|
||||
.\" $NetBSD: su.1,v 1.13 1997/07/02 05:42:12 lukem Exp $
|
||||
.\"
|
||||
.Dd April 18, 1994
|
||||
.Dt SU 1
|
||||
|
@ -39,11 +39,11 @@
|
|||
.Nm su
|
||||
.Nd substitute user identity
|
||||
.Sh SYNOPSIS
|
||||
.Nm su
|
||||
.Nm
|
||||
.Op Fl Kflm
|
||||
.Op Ar login Op Ar "shell arguments"
|
||||
.Sh DESCRIPTION
|
||||
.Nm Su
|
||||
.Nm
|
||||
requests the Kerberos password for
|
||||
.Ar login
|
||||
(or for
|
||||
|
@ -54,12 +54,12 @@ A shell is then executed, and any additional
|
|||
.Ar "shell arguments"
|
||||
after the login name
|
||||
are passed to the shell.
|
||||
.Nm Su
|
||||
.Nm
|
||||
will resort to the local password file to find the password for
|
||||
.Ar login
|
||||
if there is a Kerberos error.
|
||||
If
|
||||
.Nm su
|
||||
.Nm
|
||||
is executed by root, no password is requested and a shell
|
||||
with the appropriate user ID is executed; no additional Kerberos tickets
|
||||
are obtained.
|
||||
|
@ -116,7 +116,7 @@ is set to
|
|||
.Ev TERM
|
||||
is imported from your current environment.
|
||||
The invoked shell is the target login's, and
|
||||
.Nm su
|
||||
.Nm
|
||||
will change directory to the target login's home directory.
|
||||
.It Fl m
|
||||
Leave the environment unmodified.
|
||||
|
@ -126,7 +126,7 @@ shell (as defined by
|
|||
.Xr getusershell 3 )
|
||||
and the caller's real uid is
|
||||
non-zero,
|
||||
.Nm su
|
||||
.Nm
|
||||
will fail.
|
||||
.El
|
||||
.Pp
|
||||
|
@ -137,15 +137,18 @@ and
|
|||
options are mutually exclusive; the last one specified
|
||||
overrides any previous ones.
|
||||
.Pp
|
||||
Only users in group 0 (normally
|
||||
.Dq wheel )
|
||||
Only users in group
|
||||
.Dq wheel
|
||||
(normally gid 0),
|
||||
as listed in
|
||||
.Pa /etc/group ,
|
||||
can
|
||||
.Nm su
|
||||
.Nm
|
||||
to
|
||||
.Dq root ,
|
||||
unless group 0 does not exist or has no members. (If you want nobody
|
||||
to be able to
|
||||
.Nm su
|
||||
unless group wheel does not exist or has no members.
|
||||
(If you do not want anybody to be able to
|
||||
.Nm
|
||||
to
|
||||
.Dq root ,
|
||||
make
|
||||
|
@ -171,7 +174,7 @@ to remind one of its awesome power.
|
|||
.Sh ENVIRONMENT
|
||||
Environment variables used by
|
||||
.Nm su :
|
||||
.Bl -tag -width HOME
|
||||
.Bl -tag -width "HOME"
|
||||
.It Ev HOME
|
||||
Default home directory of real user ID unless modified as
|
||||
specified above.
|
||||
|
@ -182,7 +185,7 @@ Provides terminal type which may be retained for the substituted
|
|||
user ID.
|
||||
.It Ev USER
|
||||
The user ID is always the effective ID (the target user ID) after an
|
||||
.Nm su
|
||||
.Nm
|
||||
unless the user ID is 0 (root).
|
||||
.El
|
||||
.Sh HISTORY
|
||||
|
@ -190,6 +193,3 @@ A
|
|||
.Nm
|
||||
command appeared in
|
||||
.At v7 .
|
||||
.Sh BUGS
|
||||
There should be a way of setting policy so that users can su to root
|
||||
without being a member of group 0, if the sysadmin wishes.
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: su.c,v 1.17 1997/06/27 17:01:55 lukem Exp $ */
|
||||
/* $NetBSD: su.c,v 1.18 1997/07/02 05:42:13 lukem Exp $ */
|
||||
|
||||
/*
|
||||
* Copyright (c) 1988 The Regents of the University of California.
|
||||
|
@ -43,7 +43,7 @@ char copyright[] =
|
|||
#if 0
|
||||
static char sccsid[] = "@(#)su.c 8.3 (Berkeley) 4/2/94";*/
|
||||
#else
|
||||
static char rcsid[] = "$NetBSD: su.c,v 1.17 1997/06/27 17:01:55 lukem Exp $";
|
||||
static char rcsid[] = "$NetBSD: su.c,v 1.18 1997/07/02 05:42:13 lukem Exp $";
|
||||
#endif
|
||||
#endif /* not lint */
|
||||
|
||||
|
@ -79,6 +79,10 @@ static int koktologin __P((char *, char *, char *));
|
|||
#define ARGSTR "-flm"
|
||||
#endif
|
||||
|
||||
#ifndef SUGROUP
|
||||
#define SUGROUP "wheel"
|
||||
#endif
|
||||
|
||||
|
||||
int main __P((int, char **));
|
||||
|
||||
|
@ -172,21 +176,21 @@ main(argc, argv)
|
|||
if (!use_kerberos || kerberos(username, user, pwd->pw_uid))
|
||||
#endif
|
||||
{
|
||||
/* only allow those in group zero to su to root,
|
||||
but only if that group has any members. */
|
||||
if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)) &&
|
||||
*gr->gr_mem) {
|
||||
gid_t groups[NGROUPS];
|
||||
int ngroups;
|
||||
/* Only allow those in group SUGROUP to su to root,
|
||||
but only if that group has any members.
|
||||
If SUGROUP has no members, allow anyone to su root */
|
||||
if (pwd->pw_uid == 0 &&
|
||||
(gr = getgrnam(SUGROUP)) && *gr->gr_mem) {
|
||||
char **g;
|
||||
|
||||
ngroups = getgroups(NGROUPS, groups);
|
||||
while (--ngroups >= 0)
|
||||
if (groups[ngroups] == gr->gr_gid)
|
||||
break;
|
||||
if (ngroups < 0)
|
||||
for (g = gr->gr_mem; ; g++) {
|
||||
if (*g == NULL)
|
||||
errx(1,
|
||||
"you are not in the correct group to su %s.",
|
||||
user);
|
||||
"you are not listed in the correct secondary group (%s) to su %s.",
|
||||
SUGROUP, user);
|
||||
if (strcmp(username, *g) == 0)
|
||||
break;
|
||||
}
|
||||
}
|
||||
/* if target requires a password, verify it */
|
||||
if (*pwd->pw_passwd) {
|
||||
|
|
Loading…
Reference in New Issue