On Fri, 19 Jan 2001, Simon J. Gerraty wrote:
> > But perhaps that's too expensive, in which case the documentation
> > should warn people not to expect it to work.
> 
> Not to expect what to work?

If you have the SU_INDIRECT_GROUPS feature turned on, and you add
something that you think is a user name to the wheel group, then su
will sometimes treat it as a group name rather than as a user name.  
This will have undesirable results if the same spelling is used for
both a user name and a group name, and if the group contains members
other than the user with the same spelling.

> Anyway, I think its worth adding a warning to carefully consider
> the content of the group database(s) before enabling the feature.

Yes, indeed. I think that the warning should suggest a safe way to use
the feature, and should describe the implementation in enough detail
that people will be able to reason about the effects of doing
something other than the safe suggestion.

--apb (Alan Barrett)