--- shadow-4.0.13/src/newgrp.c.newgrpPwd 2005-09-15 18:44:12.000000000 +0200 +++ shadow-4.0.13/src/newgrp.c 2005-10-21 16:02:16.000000000 +0200 @@ -333,25 +333,37 @@ int main (int argc, char **argv) } #endif - /* - * see if she is a member of this group. If she isn't a member, she - * needs to provide the group password. If there is no group - * password, she will be denied access anyway. - * - */ - if (!is_on_list (grp->gr_mem, name)) - needspasswd = 1; + /* Needn't password: + * - default user's GID = group ID + * - members of group + * - root + * Need password: + * - all others users + * + * -- Karel Zak <kzak@redhat.com> 2004/03/29 + */ + if (getuid ()!=0) + { + if (grp->gr_gid==pwd->pw_gid) + needspasswd = 0; + else if (is_on_list (grp->gr_mem, name)) + needspasswd = 0; + else + needspasswd = 1; /* * If she does not have either a shadowed password, or a regular * password, and the group has a password, she needs to give the * group password. */ - if ((spwd = getspnam (name))) - pwd->pw_passwd = spwd->sp_pwdp; - - if (pwd->pw_passwd[0] == '\0' && grp->gr_passwd[0]) - needspasswd = 1; + if (!needspasswd) + { + if ((spwd = getspnam (name))) + pwd->pw_passwd = spwd->sp_pwdp; + if (pwd->pw_passwd[0] == '\0' && grp->gr_passwd[0]) + needspasswd = 1; + } + } /* * Now i see about letting her into the group she requested. If she @@ -362,7 +374,21 @@ int main (int argc, char **argv) * Note that she now has to provide the password to her own group, * unless she is listed as a member. -- JWP */ - if (getuid () != 0 && needspasswd) { + if (needspasswd) { + + /* note: the original util-linux newgrp didn't ask for pasword if + * there is no password. It's better directly give up. + * -- kzak@redhat.com + */ + if (grp->gr_passwd==NULL || grp->gr_passwd[0] == '\0') { + /* + * there is no password, print out "Sorry" and give up + */ + sleep (1); + fputs (_("Sorry.\n"), stderr); + goto failure; + } + /* * get the password from her, and set the salt for * the decryption from the group file. @@ -378,15 +404,6 @@ int main (int argc, char **argv) cpasswd = pw_encrypt (cp, grp->gr_passwd); strzero (cp); - if (grp->gr_passwd[0] == '\0') { - /* - * there is no password, print out "Sorry" and give up - */ - sleep (1); - fputs (_("Sorry.\n"), stderr); - goto failure; - } - if (strcmp (cpasswd, grp->gr_passwd) != 0) { SYSLOG ((LOG_INFO, "Invalid password for group `%s' from `%s'",