|
List Info
Thread: su(1) asking for pw if euid==0
|
|
| su(1) asking for pw if euid==0 |
 
Switzerland |
2007-07-10 16:30:50 |
Hi,
I'm having a problem with an rc script which sets
$_user to run
the command as another user using su(1). While starting the
command
works fine, shutting it down doesn't.
Since shutdown(8) is setuid root:operator I assume a
non-root user in
group `operator' should be allowed to shut down the system.
Is this
correct? However, this results in rc.shutdown being run as
uid!=0 and
euid==0. Nevertheless su(1) asks for a password when trying
to kill
the non-root process. Is this intended behaviour? If yes,
rc.subr
should probably be changed to kill _all_ process as root,
not only
those not setting $_user.
To reproduce the core of the problem:
$ id
uid=1000(jukka) gid=1000(jukka)
groups=1000(jukka),0(wheel),5(operator),[...]
$ sudo cp /bin/ksh /
$ sudo chown 0:0 /ksh
$ sudo chmod 4554 /ksh
$ /ksh
# id
uid=1000(jukka) gid=1000(jukka) euid=0(root)
groups=1000(jukka),0(wheel),5(operator),[...]
# su -m daemon -c id
Password:
This works as expected for root:
$ sudo su -
[...]
# id
uid=0(root) gid=0(wheel) groups=0(wheel),[...]
# su -m daemon -c id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
So, what should be fixed? su(1), rc(8) or my understanding
of them?
Regards, Jukka
--
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~
|
|
| Re: su(1) asking for pw if euid==0 |
 
Netherlands |
2007-07-11 02:11:35 |
On Wed, Jul 11, 2007 at 02:07:34AM +0000, Christos Zoulas
wrote:
> >So, what should be fixed? su(1), rc(8) or my
understanding of them?
>
> Make the setuid program set the real id to 0 before
exec'ing su.
Yes, please do this! I've also had problems with
database/postgresql from
pkgsrc. It also tries to use su to stop a daemon, which
prompts for
a password if you run shutdown as normal user.
Regards,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital
computer
is especially attractive, not only because it can be
economically
and scientifically rewarding, but also because it can be an
aesthetic
experience much like composing poetry or music."
-- Donald Knuth
|
|
| Re: su(1) asking for pw if euid==0 |
Switzerland |
2007-07-11 06:21:20 |
John Nemeth --> tech-userlevel (2007-07-10 17:05:47
-0700):
> On Nov 30, 6:06pm, Jukka Salmi wrote:
> }
> } I'm having a problem with an rc script which sets
$_user to run
> } the command as another user using su(1). While
starting the command
> } works fine, shutting it down doesn't.
> }
> } Since shutdown(8) is setuid root:operator I assume a
non-root user in
> } group `operator' should be allowed to shut down the
system. Is this
> } correct? However, this results in rc.shutdown being
run as uid!=0 and
> } euid==0. Nevertheless su(1) asks for a password when
trying to kill
> } the non-root process. Is this intended behaviour? If
yes, rc.subr
> } should probably be changed to kill _all_ process as
root, not only
> } those not setting $_user.
>
> What version of shutdown(8) do you have? It
appears that this
> problem was solved in src/sbin/shutdown.c:1.47.
Indeed, thanks for the hint. The system in question is
running NetBSD
3 (i.e. shutdown.c:1.44). Applying the relevant part of 1.47
(attached)
fixed the problem.
Thanks!
Regards, Jukka
--
bashian roulette:
$ ((RANDOM%6)) || rm -rf ~
|
|
 |
| Re: su(1) asking for pw if euid==0 |
 
United States |
2007-07-13 14:36:04 |
On Wed, Jul 11, 2007 at 09:11:35AM +0200, Peter Bex wrote:
> On Wed, Jul 11, 2007 at 02:07:34AM +0000, Christos
Zoulas wrote:
> > >So, what should be fixed? su(1), rc(8) or my
understanding of them?
> >
> > Make the setuid program set the real id to 0
before exec'ing su.
>
> Yes, please do this! I've also had problems with
database/postgresql from
> pkgsrc. It also tries to use su to stop a daemon,
which prompts for
> a password if you run shutdown as normal user.
database/postgresql is why I started a thread about this a
while ago which
resulted in the fixed version of shutdown. 
Take care,
Bill
|
|
| Re: su(1) asking for pw if euid==0 |
Netherlands |
2007-07-14 05:06:31 |
On Fri, Jul 13, 2007 at 12:36:04PM -0700, Bill
Stouder-Studenmund wrote:
> > Yes, please do this! I've also had problems with
database/postgresql from
> > pkgsrc. It also tries to use su to stop a daemon,
which prompts for
> > a password if you run shutdown as normal user.
>
> database/postgresql is why I started a thread about
this a while ago which
> resulted in the fixed version of shutdown.
Excellent! Will it be in 3.2 or 4.0?
Regards,
Peter
--
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital
computer
is especially attractive, not only because it can be
economically
and scientifically rewarding, but also because it can be an
aesthetic
experience much like composing poetry or music."
-- Donald Knuth
|
|
[1-5]
|
|