newgrp(1) and sg(1)

newgrp(1) and sg(1)

[Karel Zak]

Do we really need passwords for groups [newgrp(1) and /etc/gshadow]?
Seems like a nice over-engineering.

By the way, I have fixed newgrp(1) in util-linux and shadow-utils 5
years ago. The password verification was pretty useless for years...

IMHO it would be better to mark whole /etc/gshadow as deprecated and
reuse "su --group <group> [--supp-group <group> ...]" code to switch
between groups, then we don't have to maintain separate newgrp code.

Note that newgrp(1) is available in shadow-utils and util-linux, sg(1)
is alias in shadow-utils. We have been successful with login(1), now
I'd like to consolidate newgrp(1) :-)

Comments?

    Karel

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com

Re: newgrp(1) and sg(1)

[Sami Kerola]

On Mon, Mar 18, 2013 at 3:42 PM, Karel Zak <kzak@redhat.com> wrote:
> Do we really need passwords for groups [newgrp(1) and /etc/gshadow]?
> Seems like a nice over-engineering.
>
> By the way, I have fixed newgrp(1) in util-linux and shadow-utils 5
> years ago. The password verification was pretty useless for years...
>
> IMHO it would be better to mark whole /etc/gshadow as deprecated and
> reuse "su --group <group> [--supp-group <group> ...]" code to switch
> between groups, then we don't have to maintain separate newgrp code.
>
> Note that newgrp(1) is available in shadow-utils and util-linux, sg(1)
> is alias in shadow-utils. We have been successful with login(1), now
> I'd like to consolidate newgrp(1) :-)
>
> Comments?

Usefulness of gshadow was discussed earlier[1]. I have not heard
anyone using gshadow. Neither Open Group or Linux Standard Base
recognize gshadow file, so keeping it a live seems to be voluntary.
There is also quite long history with confusion how the gshadow should
work[2]. So maybe it is time to get rid of this legacy experiment.

Maybe it is worthwhile to mention that Open Group defines newgrp[3]
command, so one of the projects should probably deliver it. The
shadow-utils version seems to be more complete (it has built in syslog
for example), so perhaps it should be the chosen one.

Having 'su --group', or similar, as newgrp alternative sounds fair.

[1] https://groups.google.com/d/msg/fa.linux.kernel/Zg987XcLy2U/wlV3Z9h66d0J
[2] https://groups.google.com/forum/#!search/gshadow/comp.os.linux.admin/QptNuTMTMio/lDoeuy7KwOkJ
[3] http://pubs.opengroup.org/onlinepubs/000095399/utilities/newgrp.html

-- 
   Sami Kerola
   http://www.iki.fi/kerolasa/

Re: newgrp(1) and sg(1)

[Roger Leigh]

On Mon, Mar 18, 2013 at 04:42:25PM +0100, Karel Zak wrote:
> Do we really need passwords for groups [newgrp(1) and /etc/gshadow]?
> Seems like a nice over-engineering.
> 
> By the way, I have fixed newgrp(1) in util-linux and shadow-utils 5
> years ago. The password verification was pretty useless for years...

It's only with the newer glibcs that it's supported by NSS and
the standard library properly (and getent).  So while it's not
as widely used as other system databases, it does have its place
and has really only recently become properly usable.

Looking at the newgrp(1) implementation, it's not using glibc
NSS.  On a current system, it could certainly switch to using
the standard getsgent (or related fgetsgent_r etc.) calls.

> IMHO it would be better to mark whole /etc/gshadow as deprecated and
> reuse "su --group <group> [--supp-group <group> ...]" code to switch
> between groups, then we don't have to maintain separate newgrp code.
> 
> Note that newgrp(1) is available in shadow-utils and util-linux, sg(1)
> is alias in shadow-utils. We have been successful with login(1), now
> I'd like to consolidate newgrp(1) :-)

I don't think that deprecation is really appropriate--the system
interface, NSS and /etc/gshadow are not really the purview of
util-linux, though tools using the interfaces certainly are.

newgrp(1) is specified by POSIX/SUS, so I think this is worth
retaining for compatibility reasons.  Making it use NSS would be
a good improvement though, since it's currently limited to flat
files.


Regards,
Roger

-- 
  .''`.  Roger Leigh
 : :' :  Debian GNU/Linux    http://people.debian.org/~rleigh/
 `. `'   schroot and sbuild  http://alioth.debian.org/projects/buildd-tools
   `-    GPG Public Key      F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800

Re: newgrp(1) and sg(1)

[Karel Zak]

On Mon, Mar 18, 2013 at 10:38:40PM +0000, Roger Leigh wrote:
> I don't think that deprecation is really appropriate--the system
> interface, NSS and /etc/gshadow are not really the purview of
> util-linux, though tools using the interfaces certainly are.

 Well, gpasswd uses /etc/gshadow, what else?

> newgrp(1) is specified by POSIX/SUS, so I think this is worth
> retaining for compatibility reasons.  Making it use NSS would be
> a good improvement though, since it's currently limited to flat
> files.

 I'm talking about group paswords. I don't see a problem to support
 newgrp(1) as a way how to switch groups, but the question is if we
 really need to support the passwords.

 BTW, posix:

   There is no convenient way to enter a password into the group
   database. Use of group passwords is not encouraged, because by their
   very nature they encourage poor security practices. Group passwords
   may disappear in the future.
 

-- 
 Karel Zak  <kzak@redhat.com>
 http://karelzak.blogspot.com