As per discussion with mrg, back out parts of previous change.

The appropriate entry in /etc/group as returned by getgrnam() is
used to determine if 'su root' may be permitted, rather than
checking if membership exists in the result of getgroups().

The following changes were made regarding the behaviour of the special
group for 'su root'
* allow for definition of SUGROUP (defaults to "wheel") to override group name.
* use getgrnam(SUGROUP) instead of getgrgid(0).
* only scan getgrnam(SUGROUP)->gr_mem when checking for group membership.
* be more specific as to why 'su root' failed

NOTE: If a user's primary group is SUGROUP, and they're not a member
of SUGROUP in /etc/group, they will not be able to su.

usr.bin/su/Makefile

@@ -1,4 +1,4 @@
-#	$NetBSD: Makefile,v 1.9 1997/01/09 20:21:40 tls Exp $
+#	$NetBSD: Makefile,v 1.10 1997/07/02 05:42:11 lukem Exp $
 #	from: @(#)Makefile	8.1 (Berkeley) 7/19/93
 
 PROG=	su
@@ -6,6 +6,10 @@ BINOWN=	root
 BINMODE=4555
 INSTALLFLAGS=-fschg
 
+# Uncomment the following line to change the group that may su root to "sugroup"
+#
+#CFLAGS+=-DSUGROUP=\"sugroup\"
+
 .include <bsd.prog.mk>
 
 .ifdef SKEY

usr.bin/su/su.1

@@ -30,7 +30,7 @@
 .\" SUCH DAMAGE.
 .\"
 .\"	from: @(#)su.1	8.2 (Berkeley) 4/18/94
-.\"	$NetBSD: su.1,v 1.12 1997/06/27 17:01:53 lukem Exp $
+.\"	$NetBSD: su.1,v 1.13 1997/07/02 05:42:12 lukem Exp $
 .\"
 .Dd April 18, 1994
 .Dt SU 1
@@ -39,11 +39,11 @@
 .Nm su
 .Nd substitute user identity
 .Sh SYNOPSIS
-.Nm su
+.Nm
 .Op Fl Kflm
 .Op Ar login Op Ar "shell arguments"
 .Sh DESCRIPTION
-.Nm Su
+.Nm
 requests the Kerberos password for
 .Ar login
 (or for
@@ -54,12 +54,12 @@ A shell is then executed, and any additional
 .Ar "shell arguments"
 after the login name
 are passed to the shell.
-.Nm Su
+.Nm
 will resort to the local password file to find the password for
 .Ar login
 if there is a Kerberos error.
 If
-.Nm su
+.Nm
 is executed by root, no password is requested and a shell
 with the appropriate user ID is executed; no additional Kerberos tickets
 are obtained.
@@ -116,7 +116,7 @@ is set to
 .Ev TERM
 is imported from your current environment.
 The invoked shell is the target login's, and
-.Nm su
+.Nm
 will change directory to the target login's home directory.
 .It Fl m
 Leave the environment unmodified.
@@ -126,7 +126,7 @@ shell (as defined by
 .Xr getusershell 3 )
 and the caller's real uid is
 non-zero,
-.Nm su
+.Nm
 will fail.
 .El
 .Pp
@@ -137,15 +137,18 @@ and
 options are mutually exclusive; the last one specified
 overrides any previous ones.
 .Pp
-Only users in group 0 (normally
-.Dq wheel )
+Only users in group
+.Dq wheel
+(normally gid 0),
+as listed in
+.Pa /etc/group ,
 can
-.Nm su
+.Nm
 to
 .Dq root ,
-unless group 0 does not exist or has no members.  (If you want nobody
-to be able to
-.Nm su
+unless group wheel does not exist or has no members.
+(If you do not want anybody to be able to
+.Nm
 to
 .Dq root ,
 make
@@ -171,7 +174,7 @@ to remind one of its awesome power.
 .Sh ENVIRONMENT
 Environment variables used by
 .Nm su :
-.Bl -tag -width HOME
+.Bl -tag -width "HOME"
 .It Ev HOME
 Default home directory of real user ID unless modified as
 specified above.
@@ -182,7 +185,7 @@ Provides terminal type which may be retained for the substituted
 user ID.
 .It Ev USER
 The user ID is always the effective ID (the target user ID) after an
-.Nm su
+.Nm
 unless the user ID is 0 (root).
 .El
 .Sh HISTORY
@@ -190,6 +193,3 @@ A
 .Nm
 command appeared in
 .At v7 .
-.Sh BUGS
-There should be a way of setting policy so that users can su to root
-without being a member of group 0, if the sysadmin wishes.

usr.bin/su/su.c

@@ -1,4 +1,4 @@
-/*	$NetBSD: su.c,v 1.17 1997/06/27 17:01:55 lukem Exp $	*/
+/*	$NetBSD: su.c,v 1.18 1997/07/02 05:42:13 lukem Exp $	*/
 
 /*
  * Copyright (c) 1988 The Regents of the University of California.
@@ -43,7 +43,7 @@ char copyright[] =
 #if 0
 static char sccsid[] = "@(#)su.c	8.3 (Berkeley) 4/2/94";*/
 #else
-static char rcsid[] = "$NetBSD: su.c,v 1.17 1997/06/27 17:01:55 lukem Exp $";
+static char rcsid[] = "$NetBSD: su.c,v 1.18 1997/07/02 05:42:13 lukem Exp $";
 #endif
 #endif /* not lint */
 
@@ -79,6 +79,10 @@ static int koktologin __P((char *, char *, char *));
 #define	ARGSTR	"-flm"
 #endif
 
+#ifndef	SUGROUP
+#define	SUGROUP	"wheel"
+#endif
+
 
 int main __P((int, char **));
 
@@ -172,21 +176,21 @@ main(argc, argv)
 	    if (!use_kerberos || kerberos(username, user, pwd->pw_uid))
 #endif
 	    {
-		/* only allow those in group zero to su to root,
-		   but only if that group has any members. */
-		if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)) &&
-		    *gr->gr_mem) {
-			gid_t groups[NGROUPS];
-			int ngroups;
+		/* Only allow those in group SUGROUP to su to root,
+		   but only if that group has any members.
+		   If SUGROUP has no members, allow anyone to su root */
+		if (pwd->pw_uid == 0 &&
+		    (gr = getgrnam(SUGROUP)) && *gr->gr_mem) {
+			char **g;
 
-			ngroups = getgroups(NGROUPS, groups);
-			while (--ngroups >= 0)
-				if (groups[ngroups] == gr->gr_gid)
-					break;
-			if (ngroups < 0)
+			for (g = gr->gr_mem; ; g++) {
+				if (*g == NULL)
 					errx(1,
-			    "you are not in the correct group to su %s.",
-					    user);
+	    "you are not listed in the correct secondary group (%s) to su %s.",
+					    SUGROUP, user);
+				if (strcmp(username, *g) == 0)
+					break;
+			}
 		}
 		/* if target requires a password, verify it */
 		if (*pwd->pw_passwd) {