* [PATCH] Allow gid 0 in compaudit
@ 2002-10-04 16:08 Frank v Waveren
2002-10-04 19:30 ` Dan Nelson
0 siblings, 1 reply; 7+ messages in thread
From: Frank v Waveren @ 2002-10-04 16:08 UTC (permalink / raw)
To: zsh-workers
[-- Attachment #1: Type: text/plain, Size: 636 bytes --]
Attached is a patch to have compaudit (called by compaudit) not
complain about directories owned by wheel, is there any chance of
having it applied? I can't think of any systems where gid 0 can't be
trusted...
I'd appreciate it if someone could give it a quick check, I'm pretty
sure it's right but the syntax is still slightly disorienting to me.
(it just adds the not group 0 check after the f:g+w:)
--
Frank v Waveren Fingerprint: 0EDB 8787
fvw@[var.cx|stack.nl|dse.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855
Public key: hkp://wwwkeys.pgp.net/fvw@var.cx 7179 3036 E136 B85D
[-- Attachment #2: zsh-4.0.6-compaudit-wheel.diff --]
[-- Type: text/plain, Size: 858 bytes --]
diff -urN zsh-4.0.6/Completion/compaudit zsh-fvw/Completion/compaudit
--- zsh-4.0.6/Completion/compaudit Fri Aug 9 15:30:07 2002
+++ zsh-fvw/Completion/compaudit Fri Oct 4 18:04:50 2002
@@ -102,11 +102,11 @@
# (including zwc files)
if [[ $GROUP == $LOGNAME && ( -z $GROUPMEM || $GROUPMEM == $LOGNAME ) ]]; then
- _i_wdirs=( ${^fpath}(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID})
- ${^fpath}/..(Nf:g+w:^g:${GROUP}:,f:o+w:,^u0u${EUID}) )
+ _i_wdirs=( ${^fpath}(Nf:g+w:^g:${GROUP}:g0,f:o+w:,^u0u${EUID})
+ ${^fpath}/..(Nf:g+w:^g:${GROUP}:g0,f:o+w:,^u0u${EUID}) )
else
- _i_wdirs=( ${^fpath}(Nf:g+w:,f:o+w:,^u0u${EUID})
- ${^fpath}/..(Nf:g+w:,f:o+w:,^u0u${EUID}) )
+ _i_wdirs=( ${^fpath}(Nf:g+w:^g0,f:o+w:,^u0u${EUID})
+ ${^fpath}/..(Nf:g+w:^g0,f:o+w:,^u0u${EUID}) )
fi
if [[ -f /etc/debian_version ]]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Allow gid 0 in compaudit
2002-10-04 16:08 [PATCH] Allow gid 0 in compaudit Frank v Waveren
@ 2002-10-04 19:30 ` Dan Nelson
2002-10-04 20:39 ` Frank v Waveren
0 siblings, 1 reply; 7+ messages in thread
From: Dan Nelson @ 2002-10-04 19:30 UTC (permalink / raw)
To: Frank v Waveren; +Cc: zsh-workers
In the last episode (Oct 04), Frank v Waveren said:
> Attached is a patch to have compaudit (called by compaudit) not
> complain about directories owned by wheel, is there any chance of
> having it applied? I can't think of any systems where gid 0 can't be
> trusted...
Lots of users can be in wheel; on BSD systems you can't su to root
unless you're in wheel. A group-writable directory with a gid of wheel
is in the "iffy" category. I'd lean toward leaving the warning as is.
--
Dan Nelson
dnelson@allantgroup.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Allow gid 0 in compaudit
2002-10-04 19:30 ` Dan Nelson
@ 2002-10-04 20:39 ` Frank v Waveren
2002-10-04 20:42 ` Frank v Waveren
0 siblings, 1 reply; 7+ messages in thread
From: Frank v Waveren @ 2002-10-04 20:39 UTC (permalink / raw)
To: Dan Nelson; +Cc: zsh-workers
On Fri, Oct 04, 2002 at 02:30:13PM -0500, Dan Nelson wrote:
> Lots of users can be in wheel; on BSD systems you can't su to root
> unless you're in wheel. A group-writable directory with a gid of wheel
> is in the "iffy" category.
Hmm, valid point.. Then I'll just whine at sysadmins. Thanks for all
the great work everyone!
--
Frank v Waveren Fingerprint: 0EDB 8787
fvw@[var.cx|stack.nl|dse.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855
Public key: hkp://wwwkeys.pgp.net/fvw@var.cx 7179 3036 E136 B85D
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Allow gid 0 in compaudit
2002-10-04 20:39 ` Frank v Waveren
@ 2002-10-04 20:42 ` Frank v Waveren
2002-10-04 20:52 ` Dan Nelson
0 siblings, 1 reply; 7+ messages in thread
From: Frank v Waveren @ 2002-10-04 20:42 UTC (permalink / raw)
To: Dan Nelson; +Cc: zsh-workers
Replying to myself (netiquette be damned :P), the fact that on a BSD
system one is in wheel implies that the person in question has the
root password, no? So those people should be pretty trusted anyway.
--
Frank v Waveren Fingerprint: 0EDB 8787
fvw@[var.cx|stack.nl|dse.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855
Public key: hkp://wwwkeys.pgp.net/fvw@var.cx 7179 3036 E136 B85D
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Allow gid 0 in compaudit
2002-10-04 20:42 ` Frank v Waveren
@ 2002-10-04 20:52 ` Dan Nelson
2002-10-04 21:32 ` Frank v Waveren
2002-10-04 21:58 ` Frank v Waveren
0 siblings, 2 replies; 7+ messages in thread
From: Dan Nelson @ 2002-10-04 20:52 UTC (permalink / raw)
To: Frank v Waveren; +Cc: zsh-workers
In the last episode (Oct 04), Frank v Waveren said:
> Replying to myself (netiquette be damned :P), the fact that on a BSD
> system one is in wheel implies that the person in question has the
> root password, no? So those people should be pretty trusted anyway.
It implies that the person knows the password, yes. But until they
actually su to root, they shouldn't get any extra permissions IMHO.
Wheel just means "I can be root if I want", not "I am root".
--
Dan Nelson
dnelson@allantgroup.com
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Allow gid 0 in compaudit
2002-10-04 20:52 ` Dan Nelson
@ 2002-10-04 21:32 ` Frank v Waveren
2002-10-04 21:58 ` Frank v Waveren
1 sibling, 0 replies; 7+ messages in thread
From: Frank v Waveren @ 2002-10-04 21:32 UTC (permalink / raw)
To: Dan Nelson; +Cc: zsh-workers
On Fri, Oct 04, 2002 at 03:52:34PM -0500, Dan Nelson wrote:
> It implies that the person knows the password, yes. But until they
> actually su to root, they shouldn't get any extra permissions IMHO.
> Wheel just means "I can be root if I want", not "I am root".
Not "I am root", but I'd say it's something close to the debian
'staff'. You do get a few free goodies like reading logs as the plain
user, and there are some BSD sites that run with wheel having write on
quite some things... Still, better safe than sorry I guess.
--
Frank v Waveren Fingerprint: 0EDB 8787
fvw@[var.cx|stack.nl|dse.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855
Public key: hkp://wwwkeys.pgp.net/fvw@var.cx 7179 3036 E136 B85D
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] Allow gid 0 in compaudit
2002-10-04 20:52 ` Dan Nelson
2002-10-04 21:32 ` Frank v Waveren
@ 2002-10-04 21:58 ` Frank v Waveren
1 sibling, 0 replies; 7+ messages in thread
From: Frank v Waveren @ 2002-10-04 21:58 UTC (permalink / raw)
To: Dan Nelson; +Cc: zsh-workers
On Fri, Oct 04, 2002 at 03:52:34PM -0500, Dan Nelson wrote:
> It implies that the person knows the password, yes. But until they
> actually su to root, they shouldn't get any extra permissions IMHO.
> Wheel just means "I can be root if I want", not "I am root".
Not "I am root", but I'd say it's something close to the debian
'staff'. You do get a few free goodies like reading logs as the plain
user, and there are some BSD sites that run with wheel having write on
quite some things... Still, better safe than sorry I guess.
--
Frank v Waveren Fingerprint: 0EDB 8787
fvw@[var.cx|stack.nl|dse.nl|chello.nl] ICQ#10074100 09B9 6EF5 6425 B855
Public key: hkp://wwwkeys.pgp.net/fvw@var.cx 7179 3036 E136 B85D
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2002-10-04 21:59 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-10-04 16:08 [PATCH] Allow gid 0 in compaudit Frank v Waveren
2002-10-04 19:30 ` Dan Nelson
2002-10-04 20:39 ` Frank v Waveren
2002-10-04 20:42 ` Frank v Waveren
2002-10-04 20:52 ` Dan Nelson
2002-10-04 21:32 ` Frank v Waveren
2002-10-04 21:58 ` Frank v Waveren
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/zsh/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).