>Number:         1463
>Category:       bin
>Synopsis:       su checks /etc/groups for "wheel" membership, but not /etc/passwd
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    bin-bug-people (Utility Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Sep 14 16:50:00 1995
>Last-Modified:
>Originator:     David Eckhardt
>Organization:
Carnegie Mellon University Computer Science
>Release:        NetBSD-0812
>Environment:
	System: NetBSD piper.nectar.cs.cmu.edu 1.0A NetBSD 1.0A (IJET) #152: Sat Jul 15 14:38:58 EDT 1995 kosak@river:/usr/src/sys/arch/i386/compile/IJET i386

>Description:
	% grep davide /etc/passwd
	davide:*:4435:0:Dave Eckhardt:/usr/davide:/bin/csh
	% grep wheel /etc/group
	wheel:*:0:root
	% id
	uid=4435(davide) gid=0(wheel) groups=0(wheel)
	% su
	su: you are not in the correct group to su root.

	The relevant code in su looks like:

	if (pwd->pw_uid == 0 && (gr = getgrgid((gid_t)0)))
		for (g = gr->gr_mem;; ++g) {
			if (!*g) {
				(void)fprintf(stderr,
			"su: you are not in the correct group to su %s.\n",
					user);
				exit(1);
			}
			if (!strcmp(username, *g))
				break;
	}

>How-To-Repeat:
	See above /etc/passwd and /etc/group lines
>Fix:
	Assuming this is an oversight rather than a policy decision, the
	check should be something like
	if (pwd->pw_uid == 0 && pwd->pw_gid != 0 && (gr = getgrgid((gid_t)0)))
	Interestingly enough, it looks like this code will let anybody su
	to root if there is no "wheel" entry in /etc/groups...is this a
	fail-safe?
>Audit-Trail:
>Unformatted: