Hi,

I've read a lot about this issue, but couldn't find the answers. I have
some questions about groups authentication, please see below:

lupe@preto: ~$ su - postgres
Password:

postgres@preto ~$ id
uid=1002(postgres) gid=103(postgres)
grupos=103(postgres),104(backup),106(samba)

postgres@preto ~$ newgrp samba
postgres@preto ~$ newgrp postgres
Password:
Sorry.
I've realized that when I issue a newgrp command, another bash session
is opened. I can 'exit' to the previous shell. But shouldn't I be able
to change to 'postgres' again?

Why does it ask me for a password? I have a password for user postgres,
not for group postgres. That password is no good when used for the
postgres group authentication. A blank password is no good either. Do I
have to convert the shadow password just to see what password was chosen
by the default postgresql installation?



postgres@preto ~$ id
uid=1002(postgres) gid=106(samba)
grupos=103(postgres),104(backup),106(samba)
postgres@preto ~$ cat /etc/passwd | grep postgres
postgres:x:1002:103:,,,:/usr/local/pgsql/home/:/bin/bash
postgres@preto ~$ cat /etc/group | grep postgres
postgres:x:103:
backup:x:104:lupe,postgres
samba:x:106:lupe,postgres

Why there is no user postgres at the end of 'postgres:x:103:'?
Shouldn't the only user of the postgres group, i.e. user postgres, be
listed there?

TIA,

Luis P. Mendes
slackware 10.2

"Luis P. Mendes" <luis_lupe2XXX@netvisaoXXX.pt> wrote:
> Why does it ask me for a password?

From the manpage of newgrp:

-8<---------------------------------------------
The user will be prompted for a pass-
word if she do not have a password and the group does, or
if the user is not listed as a member and the group has a
password. The user will be denied access if the group
password is empty and the user is not listed as a member.
-8<---------------------------------------------

You are probably denied access because the user isn't listed in the group.

> postgres@preto ~$ cat /etc/group | grep postgres
> postgres:x:103:
> backup:x:104:lupe,postgres
> samba:x:106:lupe,postgres

This looks a bit odd to me, all group files that I have seen have had
empty password fields. Above it seems as if there are passwords which have
been shadowed. How did you get those groups in /etc/groups? Did you add
them manually? Does all your groups have x in the password field?

> Why there is no user postgres at the end of 'postgres:x:103:'? Shouldn't
> the only user of the postgres group, i.e. user postgres, be listed there?

Usually when a new account is created the account is given a default
group, however the new account usually are not added to the group. Even
though you are not listed in the group you belong to that group when
logged in. I suppose that it would be more clean to add all users on
the group line also, but that would make very long group lines on big
systems :-).

regards Henrik
--
The address in the header is only to prevent spam. My real address is:
hc8(at)uthyres.com Examples of addresses which go to spammers:
root@variousus.net root@localhost

Thank you for your help. Please, see below my comments.

> From the manpage of newgrp:
>
> -8<---------------------------------------------
> The user will be prompted for a pass-
> word if she do not have a password and the group does, or
> if the user is not listed as a member and the group has a
> password. The user will be denied access if the group
> password is empty and the user is not listed as a member.
> -8<---------------------------------------------
>
> You are probably denied access because the user isn't listed in the group.
>
>> postgres@preto ~$ cat /etc/group | grep postgres
>> postgres:x:103:
>> backup:x:104:lupe,postgres
>> samba:x:106:lupe,postgres
Ok, now I added manually postgres user to the end of the line.

postgres@preto ~$ cat /etc/passwd | grep postgres
postgres:x:1002:103:,,,:/usr/local/pgsql/home/:/bin/bash

It eliminates all the possible explanations of the newgrp manpage. But
the situation remains unclear for me:
lupe@preto: ~$ su - postgres
Password:
postgres@preto ~$ newgrp samba
postgres@preto ~$ newgrp postgres
Password:
Sorry.

Why does this happen? It's just a curiosity. I'd just like to learn why.

>
> This looks a bit odd to me, all group files that I have seen have had
> empty password fields. Above it seems as if there are passwords which have
> been shadowed. How did you get those groups in /etc/groups? Did you add
> them manually? Does all your groups have x in the password field?
Only the groups added by me as root have an 'x'.
I used useradd to add users and groupadd for groups. This behavior
should be the same in other 10.2 installations, or not?


Luis P. Mendes

On Fri, 21 Jul 2006 01:01:42 +0100, Luis P. Mendes wrote:
[snip]
> the situation remains unclear for me:
> lupe@preto: ~$ su - postgres
> Password:
> postgres@preto ~$ newgrp samba
> postgres@preto ~$ newgrp postgres
> Password:
> Sorry.
>
> Why does this happen? It's just a curiosity. I'd just like to learn why.

Look in the /etc/gshadow file, maybe by way of the ``vigr -s'' command.
And have a read through the manpages of 'grpck', 'pwconv' and 'gpasswd'.

-Menno.