Contributed by rueda on from the cleanliness dept.
Theo de Raadt (
changes which result in
requiring membership of the the (new) group
The commit message explains the rationale:
CVSROOT: /cvs Module name: src Changes by: firstname.lastname@example.org 2023/06/19 07:05:25 Modified files: etc : group sbin/shutdown : Makefile shutdown.8 Log message: The group "operator" gatekeeps a few superuser abilities (dumping disks, manipulating tape drives -> means gid operator on device nodes). This group is also used with group-access bit on the setuid-root shutdown command (mode ug+x,u+s). Some people use this to shutdown/reboot their machines, but use of that group is giving them disk read access also, which is wrong. It would be a pain to re-gid all the device nodes, so instead let's renumber the operator execution gid into group "_shutdown". Users using this shutdown/reboot functionality will notice it no longer works, and move themselves to the correct group. Various choices discussed at large, this seems our best choice.
It is entirely possible other ports need to be updated too, so please test your favorite (and maybe some not-so-favorite) software on the latest snapshot you can get your hands on!
(Comments are closed)