Red Hat Bugzilla – Bug 124821
Group membership in /etc/gshadow is disregarded by access control
Last modified: 2014-03-16 22:45:43 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040510
Description of problem:
I have played around with /etc/group and /etc/gshadow to
elucidate the behaviour of the same.
First off, I noticed that group passwords are not handled
properly by 'newgrp', but that is another story ;-)
for which bugs 85280 and 14464 should be consulted.
The links to these:
Here's the 'new' problem : The group membership list in /etc/gshadow
is not operational. Try this:
Create a file that is only accessible by group 'foo'
----rw---- 1 nobody foo 18 May 30 19:33 /tmp/README
User dtonhofer is in group dtonhofer only
That user cannot access the file, as expected
Add user dtonhofer to the membership list of group foo in /etc/group
then log in as that user (Access control is not dynamic, you have
to create a new process? Well, that's correct, probably..)
User can access the file, as expected.
However, add user dtonhofer to the membership list of group foo in
/etc/shadow then log in as that user (I made sure the group password
was empty, too):
User CANNOT access the file, but should be able to.
Now I know why the membership lists are in /etc/group instead of
/etc/gshadow, as one would expect them to be.
Hmmm....gshadow seems to be the unloved relative. Is it actually
ever used in the 'real world'?
gshadow, afaik, is only ever used for group passwords. I'll have to
check some more.
has some information on gshadow. Just putting the user in /etc/group
is what's needed.