On Tue, 30 Jul 1996, Brian R. Gaeke wrote:

> And then spake The Great Mr. Kurtz [David A. Gatwood] as follows:
> > > 3. su: hears me knocking but I can't come in
> > > When I su from my account, which is included in group wheel according
> > > to passwd and group settings, why does the system say 'Sorry'?
>
> I think that su needs your username to be in the list of members in
> /etc/group, not just to have principal gid = 0 (which, if it is true,
> is not in the su manpage, and therefore could be construed to be a bug.)
> I could be wrong, but I'm going to try hacking on the su source
> later on this evening. If I confirm this puzzling behavior I'll send-pr it.

I guess I misread that.  I thought he already put it in.  Yes, I think
you're right about it needing to be in /etc/group.  I seem to remember
another discussion about su only accessing the group file and not
/etc/passwd.  If that turns out to be the case, it wouldn't be
particularly hard to fix.

This ought to work if you replace the grep with something that only checks
the first word.

checkpassfile(int wheelgid, char *username)
{
FILE *fp;
char filename[128];
char line[1026];
char gidname[10];
int i,j,colonA,colonB;

sprintf(filename,"/usr/bin/grep %s /etc/passwd",username);
fp=popen(filename,"r");
if ((fgets(line,1024,fp))==NULL) goto notfound;

j=0;
while (i=0;i<strlen(line);i++) {
	if (line[i]==':') {j++;
		if (j=4) /* ??? beginning of groups ??? */ colonA=i;
		if (j=5) /* ??? end of groups ??? */ colonB=i;
		}
	}

while (i=colonA+1;i<colonB;i++)
	gidname[i-(colonA+1)]=line[i];

if (atoi(gidname)==wheelgid) return 1;

notfound:
return 0;

}

TECHNICAL NOTES:

This function takes two agrguments, one of which should always be an int
value of 0, I think, but I put it in anyway.  The other's a string to grep
for.  The pipe to grep may not be the right pathname.  (/bin, /usr/bin,
/sbin, /usr/sbin... I forget....)  The number of colons before the group
ID may be wrong (it's from memory), it might be... say 3 and 4 instead of
4 and 5, up in the colon count section.

Finaly, and most importantly, it would be wise to eliminate the pipe to
grep, and use another function to pull out the first line containing the
username at the beginning.  Especially if you have users running shells
out of other users' home directories.

It's just a throw-together patch, though.  Feel free to tear it to shreds.

Later,

 /---------------------------------------------------------------------\
|David A. Gatwood             And Richard Cory, one calm summer night,  |
|davagatw@mars              Went home and put a bullet through his head.|
|dgatwood@nyx.cs.du.edu              --Edwin Arlington Robinson         |
|http://mars.utm.edu/~davagatw -or- http://nox.cs.du.edu:8001/~dgatwood |
 \---------------------------------------------------------------------/