implications of adding root to a group
Hello, I've been looking at the /etc/group and have noticed that some groups have root included in them, for example operator. Is it not implied that root has access to all things and groups? What is the purpose of adding root to a group? If I add root to some new arbitrary group, what does it result in differently than if I do not add root to that group? Answers suggestions appreciated, K ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: implications of adding root to a group
On Thu, 23 Aug 2012 07:51:10 -0700 Krims G krimskr...@gmail.com wrote: Hello, I've been looking at the /etc/group and have noticed that some groups have root included in them, for example operator. Is it not implied that root has access to all things and groups? What is the purpose of adding root to a group? If I add root to some new arbitrary group, what does it result in differently than if I do not add root to that group? The root user has the ability to ignore file permissions, but not the ability to subvert group membership tests in scripts or programs. -- Steve O'Hara-Smith | Directable Mirror Arrays C:WIN | A better way to focus the sun The computer obeys and wins.|licences available see You lose and Bill collects. |http://www.sohara.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: implications of adding root to a group
On 23 Aug 2012, at 17:26, Steve O'Hara-Smith st...@sohara.org wrote: On Thu, 23 Aug 2012 07:51:10 -0700 Krims G krimskr...@gmail.com wrote: Hello, I've been looking at the /etc/group and have noticed that some groups have root included in them, for example operator. Is it not implied that root has access to all things and groups? What is the purpose of adding root to a group? If I add root to some new arbitrary group, what does it result in differently than if I do not add root to that group? The root user has the ability to ignore file permissions, but not the ability to subvert group membership tests in scripts or programs. -- Steve O'Hara-Smith | While I can compute what you wrote, I fail to see the implications. Would you kindly explain in layman's terms ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: implications of adding root to a group
On Thu, 23 Aug 2012 23:07:04 +0200, Damien Fleuriot wrote: On 23 Aug 2012, at 17:26, Steve O'Hara-Smith st...@sohara.org wrote: On Thu, 23 Aug 2012 07:51:10 -0700 Krims G krimskr...@gmail.com wrote: Hello, I've been looking at the /etc/group and have noticed that some groups have root included in them, for example operator. Is it not implied that root has access to all things and groups? What is the purpose of adding root to a group? If I add root to some new arbitrary group, what does it result in differently than if I do not add root to that group? The root user has the ability to ignore file permissions, but not the ability to subvert group membership tests in scripts or programs. -- Steve O'Hara-Smith | While I can compute what you wrote, I fail to see the implications. Would you kindly explain in layman's terms ? Let's say a script tests (upon execution) if the caller does belong to a specific group. While root may execute all scripts and remove all barriers, root:wheel will still have wheel as the group. While root is superior to non-root is true, wheel is superior to non-wheel does not apply. In this fictional example, let's assume the script is executable for a specific non-root user. Obviously, root can override this and execute it anyway, even if the script is rwx/---/--- for bob:foo. The script initially tests if the caller is member of the group foo to continue. As root is member of wheel, and _not_ of foo, the test will fail. The script doesn't continue. Adding root to specific groups allows programs testing for group membership to recognize the required group. It's comparable to adding non-root users to operation groups like dialer or operator to allow them execute scripts and programs that are executable for the respective group, even though they are owned by root, like rwx/r-x/---. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: implications of adding root to a group
On Thu, 23 Aug 2012 23:07:04 +0200 Damien Fleuriot m...@my.gd wrote: On 23 Aug 2012, at 17:26, Steve O'Hara-Smith st...@sohara.org wrote: On Thu, 23 Aug 2012 07:51:10 -0700 Krims G krimskr...@gmail.com wrote: Hello, I've been looking at the /etc/group and have noticed that some groups have root included in them, for example operator. Is it not implied that root has access to all things and groups? What is the purpose of adding root to a group? If I add root to some new arbitrary group, what does it result in differently than if I do not add root to that group? The root user has the ability to ignore file permissions, but not the ability to subvert group membership tests in scripts or programs. -- Steve O'Hara-Smith | While I can compute what you wrote, I fail to see the implications. Would you kindly explain in layman's terms ? Any script or program that checks group membership before proceeding will execute for root regardless of permissions but won't do anything (except emit a message) unless root is also a member of the required group. -- Steve O'Hara-Smith | Directable Mirror Arrays C:WIN | A better way to focus the sun The computer obeys and wins.|licences available see You lose and Bill collects. |http://www.sohara.org/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org