From owner-freebsd-questions@FreeBSD.ORG Fri Nov 9 18:10:37 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 94D7B16A468 for ; Fri, 9 Nov 2007 18:10:37 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from ranger.systems.pipex.net (ranger.systems.pipex.net [62.241.162.32]) by mx1.freebsd.org (Postfix) with ESMTP id 35F8413C491 for ; Fri, 9 Nov 2007 18:10:37 +0000 (UTC) (envelope-from xfb52@dial.pipex.com) Received: from [192.168.23.2] (62-31-10-181.cable.ubr05.edin.blueyonder.co.uk [62.31.10.181]) by ranger.systems.pipex.net (Postfix) with ESMTP id 1BDF8E00018A; Fri, 9 Nov 2007 18:10:27 +0000 (GMT) Message-ID: <4734A293.7040106@dial.pipex.com> Date: Fri, 09 Nov 2007 18:10:27 +0000 From: Alex Zbyslaw User-Agent: Mozilla/5.0 (X11; U; FreeBSD i386; en-GB; rv:1.7.13) Gecko/20061205 X-Accept-Language: en MIME-Version: 1.0 To: Giorgos Keramidas References: <472647A0.3030009@brookes.ac.uk> <20071030113912.GB3941@kobe.laptop> <20071109155558.GF8728@amilo.cenkes.org> <20071109160809.GA14984@kobe.laptop> <47348BF9.7050402@dial.pipex.com> <20071109171716.GA16016@kobe.laptop> In-Reply-To: <20071109171716.GA16016@kobe.laptop> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd-questions@freebsd.org Subject: Re: Dangers of using a non-base shell X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 09 Nov 2007 18:10:37 -0000 Giorgos Keramidas wrote: >On 2007-11-09 16:34, Alex Zbyslaw wrote: > > >>[ discussing `su -m' option ] >> >>Also the only way I know on FreeBSD to interactively become a user >>with no real shell (true, nologin etc). >> >> > >It should be possible to type: > > su username > >i.e. here's an ftp session on my laptop: > > root@kobe:/root# fgrep ftp: /etc/passwd > ftp:*:1003:1003:& user:/home/ftp:/usr/sbin/nologin > root@kobe:/root# su ftp > root@kobe:/root$ id > uid=1003(ftp) gid=1003 groups=1003 > root@kobe:/root$ > >Good idea, though :) > > Must be new, because in 5.4 I get: 100 {root @ cartman} # fgrep ftp: /etc/passwd ftp:*:6000:6000:Anon FTP:/home/ftp:/usr/sbin/nologin 101 {root @ cartman} # su ftp This account is currently not available. 102 {root @ cartman} # id uid=0(root) gid=0(wheel) groups=0(wheel) 103 {root @ cartman} # su -m ftp (ftp@cartman)1% id uid=6000(ftp) gid=6000(ftp) groups=6000(ftp) (ftp@cartman)2% exit 104 {root @ cartman} # /usr/sbin/nologin This account is currently not available. 105 {root @ cartman} # alias su 106 {root @ cartman} # which su /usr/bin/su I find the behaviour you get definitely undesirable. There are occasionally accounts have special purpose shells which do work in some restricted fashion which you *might* want to use (in which case you can su) or which you might not (so you su -m). I don't know off hand of any PD examples, but I maintain some proprietary software which has an account which uses a "shell" which understands various keywords and commands, which restricts what you can do over ssh, for example. But for maintenance you sometimes just want to be that user with a regular shell. I can't see how to achieve that given the behaviour you seem to get with su. I seem to recall mharc being a bit like this - certainly needed the Linux equivalent "su -s /bin/csh" when doing stuff with it. There's no indication in the online man pages that su should behave the way you've shown it, unless I'm missing something (a distinct possibility :-)). Even the page from FreeBSD-7 says "The invoked shell is the one belonging to the target login." Your /usr/sbin/nologin isn't a real shell, is it? Or you have some alias for su? Who knows, maybe it's because I run csh - there does seem to be special case code for it in su.c but I can't see how it would have this effect! Confused. --Alex