[Pkg-shadow-devel] Bug#325558: login: newgrp quite broken?

Ian Zimmerman itz at buug.org
Tue Aug 30 00:21:10 UTC 2005 

Nicolas> The newgrp man page was modified in unstable. The paragraph you
Nicolas> mentioned is now:

Nicolas>    newgrp changes the current real group ID to the named group,
Nicolas> or to the default group listed in /etc/passwd if no group name
Nicolas> is given.  newgrp also tries to add the group to the user
Nicolas> groupset. If not root, the user will be prompted for a password
Nicolas> if she do not have a password and the group does, or if the
Nicolas> user is not listed as a member and the group has a password.
Nicolas> The user will be denied access if the group password is empty
Nicolas> and the user is not listed as a member.  If compiled with
Nicolas> SHADOW- PWD (respectively SHADOWGRP) defined, the password of
Nicolas> the user (respec- tively, the password and the members of the
Nicolas> group) will be overwritten by the value defined in /etc/shadow
Nicolas> (respectively in /etc/gshadow) if an entry exists for this user
Nicolas> (resp. group).

Nicolas> Do you think the end of the paragraph is clear enough?  (We are
Nicolas> in the "compiled with SHADOWGRP" case, so "the password and the
Nicolas> members of the group" are "overwritten by the value defined in
Nicolas> /etc/gshadow" because "an entry exists for the src group".

Thanks for your patient and clear explanation.

However:

- No, your man page patch is not enough.  The most important thing to
stress is that the group membership information must be duplicated in
gshadow. (or maybe that is the _only_ file that counts and group is
ignored?)  That's because this situation differs from the passwd/shadow
pair; I don't need to duplicate, e.g., users' shell, home directory or
even primary group in shadow.  So mine was a natural and easy mistake to
make.

- Even if documented, this situation still looks like a bug.  What is
the rationale for hiding the membership info in gshadow?  After all,
the primary group is plain for all to see in passwd.

- I wanted to complain that adding a supplementary group via the tools
was a pain, and it was with usermod (I had to find out the current
list of groups, then list them all again plus the new one on the
usermod command line).  But now I see "adduser <user> <group>" in
man adduser.  Well, good to know; I hope I can remember that, adduser
program name doesn't really help <frown>

Peace, Ian

-- 
Optimist: We're only two weeks behind schedule.
Pessimist: The schedule is a whole two weeks ahead of us.

More information about the Pkg-shadow-devel mailing list