On Tue, Aug 30, 2005 at 06:54:06PM -0400, [EMAIL PROTECTED] wrote: > > Nicolas> This situation does not looks like buggy per se to me. It is > Nicolas> (just) a documentation issue. In fact, the information is not > Nicolas> duplicated in /etc/group and /etc/gshadow. The list of members > Nicolas> in /etc/groups indicate the list of users who will gain the > Nicolas> permissions of this group. > > Nicolas> The list of members in /etc/gshadow indicate the list of users > Nicolas> who can gain the permissions of this group by requesting them > Nicolas> (with newgrp or sg, without any password and this will be > Nicolas> logged). > > Let me read between your lines. > > The membership list in /etc/group determines which users get the group > into their supplementary list during login (and, I guess, any other > program that calls initgroups (3)).
(Note that initgroups comes from the libc, which is not aware of the gshadow file, so this is normal that this function does not use any information from gshadow) > The membership list in /etc/gshadow determines which users can newgrp > or sg to the group. With a fall back to /etc/group if there is no entry for the group in gshadow (which is the case when you delete the gshadow file). > Maybe the really counterintuitive thing here is that _either_ file > should be consulted for membership info when I am newgrping to a group > that is _already_ in my supplementary list. I am not getting any new > privileges that way; all that changes is that new files will be created > owned by the other group, and I could do that already, with less > convenience, by using chgrp after the fact. Yes. unless in some rare cases, there is no need to change the primary group. However newgrp or sg can be used in another use cases: getting the privileges of a group you are not in, by providing a password. This can be used to setup boxes with a guest account and let some of the guests gain more privileges. In those cases, guest is not a member of any group (in /etc/group and /etc/gshadow), and the password of the privileged group is distributed to some of the physical persons using the guest account. You can also imagine some configurations where somebody do not want to be in a given group (to avoid mistake), but wants to be able to gain this group privilege with newgrp (without password if this user is in the member list in gshadow). The gshadow file also permits to use group administrators (see gpasswd(1)). If you are not willing to do any of these, you can live without any notice without the /etc/gshadow file. I still have my question: Do you think that the paragraph of my previous mail would have permitted you to understand how newgrp works? Regards, -- Nekral -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
