Date: Fri, 09 Nov 2007 18:10:27 +0000 From: Alex Zbyslaw <xfb52@dial.pipex.com> To: Giorgos Keramidas <keramida@ceid.upatras.gr> Cc: freebsd-questions@freebsd.org Subject: Re: Dangers of using a non-base shell Message-ID: <4734A293.7040106@dial.pipex.com> In-Reply-To: <20071109171716.GA16016@kobe.laptop> References: <472647A0.3030009@brookes.ac.uk> <20071030113912.GB3941@kobe.laptop> <20071109155558.GF8728@amilo.cenkes.org> <20071109160809.GA14984@kobe.laptop> <47348BF9.7050402@dial.pipex.com> <20071109171716.GA16016@kobe.laptop>
next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas wrote: >On 2007-11-09 16:34, Alex Zbyslaw <xfb52@dial.pipex.com> wrote: > > >>[ discussing `su -m' option ] >> >>Also the only way I know on FreeBSD to interactively become a user >>with no real shell (true, nologin etc). >> >> > >It should be possible to type: > > su username > >i.e. here's an ftp session on my laptop: > > root@kobe:/root# fgrep ftp: /etc/passwd > ftp:*:1003:1003:& user:/home/ftp:/usr/sbin/nologin > root@kobe:/root# su ftp > root@kobe:/root$ id > uid=1003(ftp) gid=1003 groups=1003 > root@kobe:/root$ > >Good idea, though :) > > Must be new, because in 5.4 I get: 100 {root @ cartman} # fgrep ftp: /etc/passwd ftp:*:6000:6000:Anon FTP:/home/ftp:/usr/sbin/nologin 101 {root @ cartman} # su ftp This account is currently not available. 102 {root @ cartman} # id uid=0(root) gid=0(wheel) groups=0(wheel) 103 {root @ cartman} # su -m ftp (ftp@cartman)1% id uid=6000(ftp) gid=6000(ftp) groups=6000(ftp) (ftp@cartman)2% exit 104 {root @ cartman} # /usr/sbin/nologin This account is currently not available. 105 {root @ cartman} # alias su 106 {root @ cartman} # which su /usr/bin/su I find the behaviour you get definitely undesirable. There are occasionally accounts have special purpose shells which do work in some restricted fashion which you *might* want to use (in which case you can su) or which you might not (so you su -m). I don't know off hand of any PD examples, but I maintain some proprietary software which has an account which uses a "shell" which understands various keywords and commands, which restricts what you can do over ssh, for example. But for maintenance you sometimes just want to be that user with a regular shell. I can't see how to achieve that given the behaviour you seem to get with su. I seem to recall mharc being a bit like this - certainly needed the Linux equivalent "su -s /bin/csh" when doing stuff with it. There's no indication in the online man pages that su should behave the way you've shown it, unless I'm missing something (a distinct possibility :-)). Even the page from FreeBSD-7 says "The invoked shell is the one belonging to the target login." Your /usr/sbin/nologin isn't a real shell, is it? Or you have some alias for su? Who knows, maybe it's because I run csh - there does seem to be special case code for it in su.c but I can't see how it would have this effect! Confused. --Alex
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4734A293.7040106>