Subject: Re: bin/11047: newgrp is missing
To: Greg A. Woods <firstname.lastname@example.org>
From: Andrew Brown <email@example.com>
Date: 04/26/2002 23:13:36
>> >yes, we don't have one, but what problem is that? does it do
>> >something for anyone that they can't already do?
>> It adds a step that a user must do in order to do what he can do now.
>On systems with setgroups(2) the 'newgrp' command only changes the
>default group (and that inludes Solaris!). So long as your system has
>setgroups(2), and your user-ID has membership to all the groups you need
>to do your job, and you don't mind leaving your default group as it is,
>then you don't ever have to type 'newgrp', whether or not the command
if one doesn't need it, then there's no need for it to exist. it has
a vague usefulness under solaris, but only vague. there are (at
least) two ways to get around without it.
>For those people who need a way to change their default group, 'newgrp'
>is necessary. With a proper, secure, implementation of
>/etc/master.group and all the other sundry bits to manage keeping
>/etc/group et al in sync with it (vigrp too?), then it can even be
>possible to change your default group to one you're not listed in, which
>will effectively give additional group access to those with the
>appropriate authentication credentials (and for those which a password
>has been assigned, of course).
i think it would be vigr (ala getpwent() and getgrent() et al), but
that's neither here nor there. if newgrp were used to *add* a
temporary group to a user's group list (presumably by means of a
subshell, ala su) then it *might* be useful, but one would have to
wonder why the user wasn't already *in* that group.
>BTW, adding /etc/master.group is a perfect time to introduce /etc/grp.db
>(and of course /etc/sgrp.db) to help out performance-wise on those
>systems where there are lots of users and every user has their own group
that is...of ancillary benefit. grp.db could already be generated
from /etc/group with very little effort. the passwords for groups
(and the sgrp.db file) would only be needed *if* we needed passwords
on groups. for which i still don't see a real need. :)
|-----< "CODE WARRIOR" >-----|
firstname.lastname@example.org * "ah! i see you have the internet
email@example.com (Andrew Brown) that goes *ping*!"
firstname.lastname@example.org * "information is power -- share the wealth."