Path: utzoo!attcan!uunet!wuarchive!zaphod.mps.ohio-state.edu!sdd.hp.com!hp-pcd!hpfcso!hpfcdc!rml
From: rml@hpfcdc.HP.COM (Bob Lenk)
Newsgroups: comp.sys.hp
Subject: Re: SAM sucks (was Re: ARPA Services Problems on 7.0)
Message-ID: <5570445@hpfcdc.HP.COM>
Date: 7 Jul 90 01:48:16 GMT
References: <9722@pt.cs.cmu.edu>
Organization: HP Ft. Collins, Co.
Lines: 25

> >As such, a null password in the group file is not a security hole.  It is
> >equivalent to a star, except that a star will cause newgrp to prompt
> >the user for a password when it will never match.
> 
> I tried this, and found out that you are correct.  I am glad to see that
> such a gaping hole was not overlooked.  Now, my next question, is why
> was this behavior changed?  To my (limited) knowledge, these semantics
> are different from both Sys V and BSD derivative systems that I have
> used.  Was there a reason for this change, or was it gratuitous?

These semantics are straight System V Release 2.  I just looked at 7th
Edition and see that there was a major change in between (though no
corresponding change to the documentation).  Presumably BSD releases
prior to 4.2 (when they they dropped newgrp) are like version 7.  I
haven't checked other System V releases.

> I DO hope these changes were made in setgid(2), rather than in newgrp(1).

No, setgid(2) remains completely unaware of anything in the file system.
To my knowledge only newgrp has ever known anything about the passwords
in /etc/group.

		Bob Lenk
		rml@hpfcla.hp.com
		hplabs!hpfcla!rml