On Mon, Mar 18, 2013 at 04:42:25PM +0100, Karel Zak wrote: > Do we really need passwords for groups [newgrp(1) and /etc/gshadow]? > Seems like a nice over-engineering. > > By the way, I have fixed newgrp(1) in util-linux and shadow-utils 5 > years ago. The password verification was pretty useless for years... It's only with the newer glibcs that it's supported by NSS and the standard library properly (and getent). So while it's not as widely used as other system databases, it does have its place and has really only recently become properly usable. Looking at the newgrp(1) implementation, it's not using glibc NSS. On a current system, it could certainly switch to using the standard getsgent (or related fgetsgent_r etc.) calls. > IMHO it would be better to mark whole /etc/gshadow as deprecated and > reuse "su --group <group> [--supp-group <group> ...]" code to switch > between groups, then we don't have to maintain separate newgrp code. > > Note that newgrp(1) is available in shadow-utils and util-linux, sg(1) > is alias in shadow-utils. We have been successful with login(1), now > I'd like to consolidate newgrp(1) :-) I don't think that deprecation is really appropriate--the system interface, NSS and /etc/gshadow are not really the purview of util-linux, though tools using the interfaces certainly are. newgrp(1) is specified by POSIX/SUS, so I think this is worth retaining for compatibility reasons. Making it use NSS would be a good improvement though, since it's currently limited to flat files. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' schroot and sbuild http://alioth.debian.org/projects/buildd-tools `- GPG Public Key F33D 281D 470A B443 6756 147C 07B3 C8BC 4083 E800 -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
