Date: Mon, 15 Dec 2003 07:31:03 -0600 From: Jacques Vidrine <nectar@freebsd.org> To: Brooks Davis <brooks@one-eyed-alien.net> Cc: cvs-all@FreeBSD.org Subject: Re: cvs commit: src UPDATING (initgroups) Message-ID: <3FDDB797.9080703@freebsd.org> In-Reply-To: <20031215005702.GB4077@Odin.AC.HMC.Edu> References: <Pine.NEB.3.96L.1031213210011.58711D-100000@fledge.watson.org> <3FDC7D65.3040406@aueb.gr> <20031214213624.GA4077@Odin.AC.HMC.Edu> <3FDCEA54.2040705@aueb.gr> <20031215005702.GB4077@Odin.AC.HMC.Edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Brooks Davis said the following on 12/14/03 6:57 PM: > I think we should put this in in stable and probably never remove it. > I'd defintly object if we removed it before 4.11 because we need to ship > at least one release with a warning before breaking things since I don't > think this is a security issue. If someone can come up with a way not > being a member of a group would be a security issue I'd withdraw that > objection and just suggest that we add a special case syslog to stable > to avoid confusion. Some authorization decisions grant access on the basis of what groups you are *not* in: the file system, at least, and who knows what applications may do. On the other hand, this change *will* break some sites without *actually* having a security impact. I tend to agree with you: this should be a loud and clear warning for at least one release before being made fatal. Cheers, -- Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal nectar@celabo.org jvidrine@verio.net nectar@freebsd.org nectar@kth.se
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3FDDB797.9080703>