bb@cypress.cis.ufl.edu (Brian Bartholomew) (06/28/90)
In article <5570437@hpfcdc.HP.COM> rml@hpfcdc.HP.COM (Bob Lenk) writes: >As such, a null password in the group file is not a security hole. It is >equivalent to a star, except that a star will cause newgrp to prompt >the user for a password when it will never match. I tried this, and found out that you are correct. I am glad to see that such a gaping hole was not overlooked. Now, my next question, is why was this behavior changed? To my (limited) knowledge, these semantics are different from both Sys V and BSD derivative systems that I have used. Was there a reason for this change, or was it gratuitous? I DO hope these changes were made in setgid(2), rather than in newgrp(1). -- "Any sufficiently advanced technology is indistinguishable from a rigged demo." ------------------------------------------------------------------------------- Brian Bartholomew UUCP: ...gatech!uflorida!beach.cis.ufl.edu!bb University of Florida Internet: bb@beach.cis.ufl.edu
guy@auspex.auspex.com (Guy Harris) (07/01/90)
>I DO hope these changes were made in setgid(2), rather than in newgrp(1).
I certainly hope *not*, as in both Sys V and BSD derivative systems that
*I* have used, "setgid()" knows nothing about passwords in the group
file, null or otherwise. Perhaps you meant something other than
"setgid(2)"?