[Pkg-shadow-devel] Bug#325558: login: newgrp quite broken?

Nicolas François nicolas.francois at centraliens.net
Mon Aug 29 13:37:30 UTC 2005


On Mon, Aug 29, 2005 at 08:16:04AM -0400, itz at buug.org wrote:
> Package: login
> Version: 1:4.0.3-31sarge5
> Severity: normal
> 
> Thus "man newgrp":
> 
> The user will be prompted for a password if she do not have a password and  the
> group does, or if the user is not listed as a member and the group has a password. The user will be denied
> access if the group password is empty and the user is not listed as a member.
> 
> But:
> 
> itz at unicorn:~$ groups
> itz cdrom floppy audio src games tex
> itz at unicorn:~$ grep '^src:' /etc/group
> src::40:itz
> itz at unicorn:~$ sudo grep '^src:' /etc/gshadow
> src:::

itz is not in the src group according to /etc/gshadow.
This line should have been src:::itz
This is probably because you edited /etc/group by hand instead of using
adduser, usermod or another tool aware of gshadow.

> itz at unicorn:~$ newgrp src
> Password: <I type my own here because I don't know what the h*l else I should do>
> Sorry.

With the modified /etc/gshadow, you should be able to have a your session
without being prompted a password.

> Moreover:
> 
> itz at unicorn:~$ sudo gpasswd src
> Changing the password for group src
> New Password: 
> Re-enter new password: 
> itz at unicorn:~$ newgrp src
> Password: 
> 
> Also wrong, according to the manpage.

Here, you were prompted for a password because you are not in the src
group (according to gshadow), but as you know the group password you are
anyway allowed to switch to this group.

The newgrp man page was modified in unstable. The paragraph you mentioned
is now:

   newgrp changes the current real group ID to the named group, or to  the
   default  group listed in /etc/passwd if no group name is given.  newgrp
   also tries to add the group to the user groupset. If not root, the user
   will  be  prompted for a password if she do not have a password and the
   group does, or if the user is not listed as a member and the group  has
   a  password.  The  user  will be denied access if the group password is
   empty and the user is not listed as a member.  If compiled with SHADOW-
   PWD (respectively SHADOWGRP) defined, the password of the user (respec-
   tively, the password and the members of the group) will be  overwritten
   by  the  value defined in /etc/shadow (respectively in /etc/gshadow) if
   an entry exists for this user (resp. group).

Do you think the end of the paragraph is clear enough?
(We are in the "compiled with SHADOWGRP" case, so "the password and the
members of the group" are "overwritten by  the  value defined in
/etc/gshadow" because "an entry exists for the src group".

Best Regards,
-- 
Nekral




More information about the Pkg-shadow-devel mailing list