From owner-freebsd-current@FreeBSD.ORG Wed Oct 17 19:16:14 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4CBC016A419 for ; Wed, 17 Oct 2007 19:16:14 +0000 (UTC) (envelope-from askbill@conducive.net) Received: from conducive.net (conducive.net [203.194.153.81]) by mx1.freebsd.org (Postfix) with ESMTP id 1574013C467 for ; Wed, 17 Oct 2007 19:16:13 +0000 (UTC) (envelope-from askbill@conducive.net) Received: from cm218-253-81-177.hkcable.com.hk ([218.253.81.177]:63017 helo=pb.local) by conducive.net with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63 (FreeBSD)) (envelope-from ) id 1IiENI-0001KS-Mt for freebsd-current@freebsd.org; Wed, 17 Oct 2007 19:16:12 +0000 Message-ID: <47165F7C.4090300@conducive.net> Date: Wed, 17 Oct 2007 15:16:12 -0400 From: =?UTF-8?B?6Z+T5a625qiZIEJpbGwgSGFja2Vy?= User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X Mach-O; en-US; rv:1.8.1.2) Gecko/20070221 SeaMonkey/1.1.1 MIME-Version: 1.0 To: freebsd-current@freebsd.org References: <00bd01c810ec$10371230$0c00a8c0@Artem> <20071017184105.GA76805@nagual.pp.ru> In-Reply-To: <20071017184105.GA76805@nagual.pp.ru> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Broken su in current - trying to fix myself, help needed! X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 17 Oct 2007 19:16:14 -0000 Andrey Chernov wrote: > On Wed, Oct 17, 2007 at 10:32:16PM +0400, Artem Kuchin wrote: >> There are such like in the default: dection of switch >> >> child_pgrp = getpgid(child_pid); >> if (tcgetpgrp(STDERR_FILENO) == child_pgrp) >> tcsetpgrp(STDERR_FILENO, getpgrp()); >> >> >> The problem is here. >> getpgid(child_pid) simply fails with errno 3 (process doesn't exist) > > The question is: why getpgid() fails while process really exists (in > stopped state)? > Are we even chasing the correct animal here? Are the tests being run as root? If not, is the stalled state perhaps seen as a privilege-escalation issue? Or that the PID sought exists, but not as belonging to or permitted to be known to the current EUID:EGID? Or that the EUID:EGUID su'ed to simply has a different login shell invoked than that used by the caller's UID or the script? IOW - not seeing a lesser-than root:wheel user being su'ed to, and not seeing a pwd requested and responded to that root:wheel should ask for unless the caller is *already* root:wheel, is there actually something 'broken' in su - or has security simply been made more rigourous between 6.X and 7.X? Bill