From owner-freebsd-current@FreeBSD.ORG  Sat Oct 16 20:32:33 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 2FD0C16A4CE
	for <freebsd-current@freebsd.org>;
	Sat, 16 Oct 2004 20:32:33 +0000 (GMT)
Received: from ran.psg.com (ip192.186.dsl-acs2.seawa0.iinet.com
	[209.20.186.192])
	by mx1.FreeBSD.org (Postfix) with ESMTP id DF03143D31
	for <freebsd-current@freebsd.org>;
	Sat, 16 Oct 2004 20:32:32 +0000 (GMT)	(envelope-from randy@psg.com)
Received: from localhost ([127.0.0.1] helo=ran.psg.com.psg.com)
	by ran.psg.com with esmtp (Exim 4.34 (FreeBSD))
	id 1CIvE6-000IvY-7T; Sat, 16 Oct 2004 13:32:30 -0700
From: Randy Bush <randy@psg.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <16753.34141.727408.377491@ran.psg.com>
Date: Sat, 16 Oct 2004 13:32:29 -0700
To: Kris Kennaway <kris@obsecurity.org>
cc: FreeBSD Current <freebsd-current@freebsd.org>
Subject: Re: /security/op on -current?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 16 Oct 2004 20:32:33 -0000

> I think you missed my point :) It could be a pam interaction or some
> other dark magic, but you've not given much information upon which to
> base a guess.

sorry.  too much happening here to get it today.

% id
uid=106(robot) gid=10 groups=10

% ls -l /usr/home/robot/cr /var/dns/INC.cr
-rw-------  1 robot  staff  19951 Oct 16 05:31 /usr/home/robot/cr
-rw-r--r--  1 bind   bind   23087 Nov  5  2003 /var/dns/INC.cr

# cat /usr/local/etc/op.access
DEFAULT users=robot
dns.cr.cp /bin/cp $1 $2
          /bin/chmod 644 $2
          /usr/sbin/chown bind:bind $2

% ktrace op dns.cr.cp /usr/home/robot/cr /var/dns/INC.cr
line 1: cmd='DEFAULT' add opt 'users=robot'
line 2: cmd='dns.cr.cp' add arg '/bin/cp'
line 2: cmd='dns.cr.cp' add arg '$1'
line 2: cmd='dns.cr.cp' add arg '$2'
line 3: cmd='dns.cr.cp' add arg '/bin/chmod'
line 3: cmd='dns.cr.cp' add arg '644'
line 3: cmd='dns.cr.cp' add arg '$2'
line 4: cmd='dns.cr.cp' add arg '/usr/sbin/chown'
line 4: cmd='dns.cr.cp' add arg 'bind:bind'
line 4: cmd='dns.cr.cp' add arg '$2'
line 5: cmd='' add arg '/bin/cp'
line 5: cmd='' add arg '$1'
line 5: cmd='' add arg '$2'
line 5: cmd='' add arg '/bin/chmod'
line 5: cmd='' add arg '644'
line 5: cmd='' add arg '$2'
line 5: cmd='' add arg '/usr/sbin/chown'
line 5: cmd='' add arg 'bind:bind'
line 5: cmd='' add arg '$2'
line 5: cmd='' add opt 'users=robot'
Permission denied by op

% kdump
 99278 ktrace   RET   ktrace 0
 99278 ktrace   CALL  execve(0xbfbfe560,0xbfbfea8c,0xbfbfeaa0)
 99278 ktrace   NAMI  "/bin/op"
 99278 ktrace   RET   execve -1 errno 2 No such file or directory
 99278 ktrace   CALL  execve(0xbfbfe560,0xbfbfea8c,0xbfbfeaa0)
 99278 ktrace   NAMI  "/sbin/op"
 99278 ktrace   RET   execve -1 errno 2 No such file or directory
 99278 ktrace   CALL  execve(0xbfbfe560,0xbfbfea8c,0xbfbfeaa0)
 99278 ktrace   NAMI  "/usr/bin/op"
 99278 ktrace   RET   execve -1 errno 2 No such file or directory
 99278 ktrace   CALL  execve(0xbfbfe560,0xbfbfea8c,0xbfbfeaa0)
 99278 ktrace   NAMI  "/usr/sbin/op"
 99278 ktrace   RET   execve -1 errno 2 No such file or directory
 99278 ktrace   CALL  execve(0xbfbfe560,0xbfbfea8c,0xbfbfeaa0)
 99278 ktrace   NAMI  "/usr/X11R6/bin/op"
 99278 ktrace   RET   execve -1 errno 2 No such file or directory
 99278 ktrace   CALL  execve(0xbfbfe560,0xbfbfea8c,0xbfbfeaa0)
 99278 ktrace   NAMI  "/usr/local/bin/op"
 99278 ktrace   NAMI  "/libexec/ld-elf.so.1"