[nycbug-talk] Group Password Support
Jason Hellenthal
jhellenthal at dataix.net
Thu May 10 11:46:46 EDT 2012
On Tue, May 08, 2012 at 10:11:41AM -0400, Mark Saad wrote:
> On Mon, May 7, 2012 at 5:06 PM, Jesse Callaway <bonsaime at gmail.com> wrote:
> > I'd like to hear more on this too. I just set up my first
> > objectClass=posixgroup in OpenLDAP this morning.
> >
> > The password attribute is an optional attribute in the directory server
> > schema I'm using, and I have elected to leave it out entirely.
> >
> > I just have the group name and the gidNumber attributes.
> >
> > On May 7, 2012 2:16 PM, "Mark Saad" <mark.saad at ymail.com> wrote:
> >>
> >> All
> >> I have no need for this , but I was wondering if any of the BSD's
> >> supported group passwords. I ran into a typo in a group file and
> >> someone had the GID in the password field.
> >> The FreeBSD man page for group states" The passwd field is an optional
> >> encrypted password. This field is rarely used and an asterisk is
> >> normally placed in it rather than leaving it blank."
> >> So the two obvious questions are how would I set a group password, and
> >> how would one use it ?
> >>
> >> --
> >>
> >> Mark Saad | mark.saad at ymail.com
> >> _______________________________________________
> >> talk mailing list
> >> talk at lists.nycbug.org
> >> http://lists.nycbug.org/mailman/listinfo/talk
>
> Ok pr submitted . Now the other issue is , I cant actually make it work.
>
> Here is what I did , I want to send this as another pr but before I do
> that I want to make sure that I am actually doing this correctly.
>
>
> root at blindness:~# pw groupadd testgroup
> root at blindness:~# pw group mod testgroup -h 0
> New password for group testgroup: blahblahblah
> root at blindness:~# exit
> logout
> msaad at blindness:~% newgrp testgroup
> Password:
> newgrp: setgid: Operation not permitted
> msaad at blindness:~%
>
>
> Looking at a truss of the newgrp command shows the following
>
> open("/etc/auth.conf",O_RDONLY,0141) = 3 (0x3)
> read(3,"#\n# $FreeBSD: src/etc/auth.conf"...,4096) = 237 (0xed)
> read(3,0x7fffffffc670,4096) = 0 (0x0)
> close(3) = 0 (0x0)
> __sysctl(0x7fffffffd950,0x2,0x7fffffffd96c,0x7fffffffd960,0x0,0x0) = 0 (0x0)
> getgroups(0x400,0x801041000,0x801000658,0x42,0x601f48,0xffffffff) = 3 (0x3)
> seteuid(0x3ea,0x801041008,0x3,0x3,0x601f48,0xffffffff) = 0 (0x0)
> setgid(0x3eb,0x801041008,0x3,0x3,0x601f48,0xffffffff) ERR#1 'Operation
> not permitted'
> getuid() = 1002 (0x3ea)
> seteuid(0x3ea,0x801041008,0xffffffffffffffff,0x1,0x601f48,0xffffffff) = 0 (0x0)
> write(2,"newgrp: ",8) = 8 (0x8)
> write(2,"setgid",6) = 6 (0x6)
> write(2,": ",2) = 2 (0x2)
> stat("/usr/share/nls/C/libc.cat",0x7fffffffd330) ERR#2 'No such file
> or directory'
> stat("/usr/share/nls/libc/C",0x7fffffffd330) ERR#2 'No such file
> or directory'
> stat("/usr/local/share/nls/C/libc.cat",0x7fffffffd330) ERR#2 'No such
> file or directory'
> stat("/usr/local/share/nls/libc/C",0x7fffffffd330) ERR#2 'No such file
> or directory'
> write(2,"Operation not permitted\n",24) = 24 (0x18)
> seteuid(0x3ea,0x7fffffffd210,0x0,0x18,0x7ff7ff2af0d6,0xffffffff) = 0 (0x0)
> getuid() = 1002 (0x3ea)
> setuid(0x3ea,0x7fffffffd210,0x0,0x18,0x7ff7ff2af0d6,0xffffffff) = 0 (0x0)
> execve("/bin/csh",<missing argument>,<missing argument>) = 0 (0x0)
>
>
> This leads me to believe that I need to setup some additional system
> to make this work. Any ideas .
> the man page for auth.conf is not helpful here .
>
This should not be a surprise... chmod u+s /usr/bin/newgrp
I would reccomend ( chmod o= ) to only allow those that are members of
group wheel to group up to something other than there original group.
Also don't forget that your password hashes are readable by everyone on
the system via /etc/group.
There are no added benefits to using newgrp(1)
--
- (2^(N-1))
More information about the talk
mailing list