From ca5ad7b63434b7937add773d4ff02df462ccad14 Mon Sep 17 00:00:00 2001 From: Russ Allbery Date: Mon, 19 Jan 2009 03:32:18 +0000 Subject: [PATCH] DEVEL15-man-page-pts-membership-privilege-20090118 FIXES 124151 LICENSE BSD Add system:ptsviewers to the privilege documentation of pts membership and try to clarify the privilege required by being less verbose and hopefully more direct. (cherry picked from commit d781450cf3c08bf89f3d1490620ed89885f7e518) --- doc/man-pages/pod1/pts_membership.pod | 42 +++++++++++++---------------------- 1 file changed, 16 insertions(+), 26 deletions(-) diff --git a/doc/man-pages/pod1/pts_membership.pod b/doc/man-pages/pod1/pts_membership.pod index e5cbdc4..f0cba9c 100644 --- a/doc/man-pages/pod1/pts_membership.pod +++ b/doc/man-pages/pod1/pts_membership.pod @@ -34,7 +34,7 @@ It is not possible to list the members of the system:anyuser or system:authuser groups, and they do not appear in the list of groups to which a user belongs. -To add users or machine to groups, use the pts adduser command; to remove +To add users or machine to groups, use the B command; to remove them, use the B command. =head1 OPTIONS @@ -112,45 +112,35 @@ non-administrative user to obtain this listing. =head1 PRIVILEGE REQUIRED -The required privilege depends on the setting of the third privacy flag in -the Protection Database entry of each user or group indicated by the -B<-nameorid> argument (use the B command to display the +Members of the groups system:ptsviewers and system:administrators can +always use this command in any of its variations. Additionally, a user +can always list the groups to which they belong, and the owner of a group +can always list the members of the group. + +Additional privileges may be granted by the setting of the third privacy +flag in the Protection Database entry of each user or group indicated by +the B<-nameorid> argument (use the B command to display the flags): =over 4 =item * -If it is the hyphen and the B<-nameorid> argument specifies a user, only -the associated user and members of the system:administrators group can -list the groups to which the user belongs. - -=item * - -If it is the hyphen and the B<-nameorid> argument specifies a machine, -only the members of the system:administrators group can list the groups to -which the machine belongs. - -=item * - -If it is the hyphen and the B<-nameorid> argument specifies a group, only -the owner of the group and members of the system:administrators group can -list the members of the group. - -=item * - -If it is lowercase C and the B<-nameorid> argument specifies a user or -machine entry, the meaning is equivalent to the hyphen. +If it is a hypen, the default permissions described above apply. =item * If it is lowercase C and the B<-nameorid> argument specifies a group, -members of the group can also list the other members. +members of that group can also list the other members. A privacy flag of +C only changes the permissions when set for a group. Setting this flag +for a user or a machine has no effect. =item * If it is uppercase C, anyone who can access the cell's database server -machines can list group memberships. +machines can list the membership of the group or the groups to which that +user or machine belongs, depending on what type of entry the flag is set +on. =back -- 1.9.4