| 1 |
Hey, |
| 2 |
|
| 3 |
I consider the suse implementation to be broken, while the gentoo one to be |
| 4 |
correct. |
| 5 |
|
| 6 |
su is ment to change the user id for the purpose of running a shell. |
| 7 |
sudo is ment to allow users to execute a limited set of commands with |
| 8 |
elevated privileges. |
| 9 |
|
| 10 |
You were using the wrong tool for the job, and gentoo was nice enough to |
| 11 |
point that :) Sudo is your answer. I also suspect your previous setup could |
| 12 |
potentially have introduced security issues, depending on how it was done. |
| 13 |
|
| 14 |
Cheers, |
| 15 |
Dan. |
| 16 |
|
| 17 |
----- Original Message ----- |
| 18 |
From: "Miguel Sousa Filipe" <miguel@×××××××××××.pt> |
| 19 |
To: <gentoo-server@l.g.o> |
| 20 |
Cc: <rnl@×××××××××××.pt> |
| 21 |
Sent: Monday, April 26, 2004 7:12 PM |
| 22 |
Subject: [gentoo-server] su program and its limitations. |
| 23 |
|
| 24 |
|
| 25 |
Hello all, |
| 26 |
|
| 27 |
The su program in gentoo, that comes with sys-apps/shadow is in my view |
| 28 |
very limited. |
| 29 |
|
| 30 |
In a Suse system, I had several system users with /bin/false has a |
| 31 |
shell, since all they did was use the email, and ftp for site updates. |
| 32 |
Now that this instalation was migrated to gentoo, I am unable to do |
| 33 |
things like: su username -c "start aplication", simply because this |
| 34 |
version of su passes it has an argument to the login shell. |
| 35 |
And there is no way to override the defined shell. |
| 36 |
|
| 37 |
Basically, and in short words, this sucks! |
| 38 |
I had users that were used to execute tomcat, or a sybase database, and |
| 39 |
now they are obliged to have a shell. There is no need for those users |
| 40 |
to have a shell. |
| 41 |
|
| 42 |
More problematic it is with users with mail acounts, that only use the |
| 43 |
system for mail, but there is sometimes the need to su username -c |
| 44 |
/bin/bash to do or to check certain things. |
| 45 |
The reason their shell was /bin/false is because these users are simple |
| 46 |
office workers who might leave their password in a postit or in a |
| 47 |
drawer. It is a good idea to limit their shell access to the |
| 48 |
email/web/database server. |
| 49 |
(there isn't the need for a big security or containment policy enforcing) |
| 50 |
|
| 51 |
|
| 52 |
The Suse version of su comes with: |
| 53 |
# rpm -qf /bin/su |
| 54 |
sh-utils-2.0-106 |
| 55 |
and supports the -s argument for passing a valid shell. (and the man |
| 56 |
page is very nice) |
| 57 |
Our (gentoo) su, doesn't support the -s argument. |
| 58 |
|
| 59 |
|
| 60 |
Is there a way that we have a more flexible, or less limited 'su' by |
| 61 |
default? |
| 62 |
|
| 63 |
Congrats to the gentoo developers, gentoo is "emerging" in the |
| 64 |
enterprise world.. |
| 65 |
|
| 66 |
-- |
| 67 |
|
| 68 |
Miguel Figueiredo Mascarenhas de Sousa Filipe |
| 69 |
email: miguel@×××××××××××.pt (PORTUGAL) |
| 70 |
http://mega.ist.utl.pt/~miguel |
| 71 |
|
| 72 |
Equipa de Administração de Sistemas |
| 73 |
Rede das Novas Licenciaturas (RNL) |
| 74 |
Instituto Superior Técnico |
| 75 |
http://www.rnl.ist.utl.pt |
| 76 |
http://mega.ist.utl.pt |
Archives