1 |
Hey, |
2 |
|
3 |
I consider the suse implementation to be broken, while the gentoo one to be |
4 |
correct. |
5 |
|
6 |
su is ment to change the user id for the purpose of running a shell. |
7 |
sudo is ment to allow users to execute a limited set of commands with |
8 |
elevated privileges. |
9 |
|
10 |
You were using the wrong tool for the job, and gentoo was nice enough to |
11 |
point that :) Sudo is your answer. I also suspect your previous setup could |
12 |
potentially have introduced security issues, depending on how it was done. |
13 |
|
14 |
Cheers, |
15 |
Dan. |
16 |
|
17 |
----- Original Message ----- |
18 |
From: "Miguel Sousa Filipe" <miguel@×××××××××××.pt> |
19 |
To: <gentoo-server@l.g.o> |
20 |
Cc: <rnl@×××××××××××.pt> |
21 |
Sent: Monday, April 26, 2004 7:12 PM |
22 |
Subject: [gentoo-server] su program and its limitations. |
23 |
|
24 |
|
25 |
Hello all, |
26 |
|
27 |
The su program in gentoo, that comes with sys-apps/shadow is in my view |
28 |
very limited. |
29 |
|
30 |
In a Suse system, I had several system users with /bin/false has a |
31 |
shell, since all they did was use the email, and ftp for site updates. |
32 |
Now that this instalation was migrated to gentoo, I am unable to do |
33 |
things like: su username -c "start aplication", simply because this |
34 |
version of su passes it has an argument to the login shell. |
35 |
And there is no way to override the defined shell. |
36 |
|
37 |
Basically, and in short words, this sucks! |
38 |
I had users that were used to execute tomcat, or a sybase database, and |
39 |
now they are obliged to have a shell. There is no need for those users |
40 |
to have a shell. |
41 |
|
42 |
More problematic it is with users with mail acounts, that only use the |
43 |
system for mail, but there is sometimes the need to su username -c |
44 |
/bin/bash to do or to check certain things. |
45 |
The reason their shell was /bin/false is because these users are simple |
46 |
office workers who might leave their password in a postit or in a |
47 |
drawer. It is a good idea to limit their shell access to the |
48 |
email/web/database server. |
49 |
(there isn't the need for a big security or containment policy enforcing) |
50 |
|
51 |
|
52 |
The Suse version of su comes with: |
53 |
# rpm -qf /bin/su |
54 |
sh-utils-2.0-106 |
55 |
and supports the -s argument for passing a valid shell. (and the man |
56 |
page is very nice) |
57 |
Our (gentoo) su, doesn't support the -s argument. |
58 |
|
59 |
|
60 |
Is there a way that we have a more flexible, or less limited 'su' by |
61 |
default? |
62 |
|
63 |
Congrats to the gentoo developers, gentoo is "emerging" in the |
64 |
enterprise world.. |
65 |
|
66 |
-- |
67 |
|
68 |
Miguel Figueiredo Mascarenhas de Sousa Filipe |
69 |
email: miguel@×××××××××××.pt (PORTUGAL) |
70 |
http://mega.ist.utl.pt/~miguel |
71 |
|
72 |
Equipa de Administração de Sistemas |
73 |
Rede das Novas Licenciaturas (RNL) |
74 |
Instituto Superior Técnico |
75 |
http://www.rnl.ist.utl.pt |
76 |
http://mega.ist.utl.pt |