cvs commit: src UPDATING (initgroups)
Jacques Vidrine
nectar at freebsd.org
Mon Dec 15 05:31:17 PST 2003
Brooks Davis said the following on 12/14/03 6:57 PM:
> I think we should put this in in stable and probably never remove it.
> I'd defintly object if we removed it before 4.11 because we need to ship
> at least one release with a warning before breaking things since I don't
> think this is a security issue. If someone can come up with a way not
> being a member of a group would be a security issue I'd withdraw that
> objection and just suggest that we add a special case syslog to stable
> to avoid confusion.
Some authorization decisions grant access on the basis of what groups
you are *not* in: the file system, at least, and who knows what
applications may do.
On the other hand, this change *will* break some sites without
*actually* having a security impact. I tend to agree with you: this
should be a loud and clear warning for at least one release before being
made fatal.
Cheers,
--
Jacques Vidrine NTT/Verio SME FreeBSD UNIX Heimdal
nectar at celabo.org jvidrine at verio.net nectar at freebsd.org nectar at kth.se
More information about the cvs-src
mailing list