To: Alan Barrett <>
From: Simon J. Gerraty <>
List: tech-security
Date: 01/17/2001 23:11:38
>On Wed, 10 Jan 2001, Simon J. Gerraty wrote:
>> If SU_INDIRECT_GROUP is defined (it is by default), then su will
>> consider that SUGROUP and ROOTAUTH group contain the names of
>> users and groups.  If user is not found in the list check_ingroup()
>> recurses on each member until either user is found or end of chain
>> is reached.

>In addition to the comments others have made about why this should
>default to being disabled, I have a comment about the lookup

I too agree that the default should be dissabled. 
The default was changed to dissabled right after the above commit.

>Many sites have a separate group for each user, and use the same
>spelling for both the user name and the group name.

If you use NIS, this eventually causes problems on some systems at least. 

>  If one of these
>user/group names appears in the wheel group, then I think that su
>should treat it as a user name, not as a group name to be recursed

In the case of the target user, obviously it would stop searching as soon
as the name matches and thus would not lookup a group name.  
In other cases, how would su know?  

One of the reasons that this feature is (and should be) off by default is 
that one should not enable it without considering the content of the
groups database (be it /etc/group, NIS or both).