really: Document need to be in the "root" group as well. (This is better than removi...

diff --git a/cprogs/really.8 b/cprogs/really.8
index fb21f058d457e286e0262067d7d6e9b95a9ccd34..2344e14138934c294d30af3af61db55f5ca6d50d 100644 (file)
--- a/cprogs/really.8
+++ b/cprogs/really.8
@@ -20,11 +20,14 @@ will run
 .BR "$SHELL -i" .
 .PP
 A caller is allowed if it has write access to
-.BR /etc/inittab .
-This is most easily achieved by creating or using a suitable group,
-containing all the appropriate users, and making
+.BR /etc/inittab
+and is also member of the group
+.BR root .
+This is most easily achieved by making inittab group-writeable by some
+suitable group containing all the appropriate users, and making
 .B /etc/inittab
-group-owned by that group and group-writeable.
+group-owned by that group and group-writeable.  The root group is
+perhaps a good choice if it isn't being used for anything else.
 .SH OPTIONS
 .TP
 \fB-u\fR \fIusername\fR | \fB--user\fR \fIusername\fR

diff --git a/debian/changelog b/debian/changelog
index a17ffd004847883d8903956bca0643a4d4bca397..4f71e9d2732d59bd15ad83bd74196b1a0be617d0 100644 (file)
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,9 @@ chiark-utils (4.2.1~~iwj4) unstable; urgency=low
 
   * really: Add "danger!" warning to usage message description of -R.
   * really: Document -R option in the manpage.  Closes:#693354.
+  * really: Document need to be in the "root" group as well.  (This is
+    better than removing the restriction, because it would be dangerous to
+    relax this security barrier in existing deployments.)  Closes:#693356.
 
  --