Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 09 Nov 2007 18:10:27 +0000
From:      Alex Zbyslaw <xfb52@dial.pipex.com>
To:        Giorgos Keramidas <keramida@ceid.upatras.gr>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: Dangers of using a non-base shell
Message-ID:  <4734A293.7040106@dial.pipex.com>
In-Reply-To: <20071109171716.GA16016@kobe.laptop>
References:  <472647A0.3030009@brookes.ac.uk> <20071030113912.GB3941@kobe.laptop> <20071109155558.GF8728@amilo.cenkes.org> <20071109160809.GA14984@kobe.laptop> <47348BF9.7050402@dial.pipex.com> <20071109171716.GA16016@kobe.laptop>

next in thread | previous in thread | raw e-mail | index | archive | help
Giorgos Keramidas wrote:

>On 2007-11-09 16:34, Alex Zbyslaw <xfb52@dial.pipex.com> wrote:
>  
>
>>[ discussing `su -m' option ]
>>
>>Also the only way I know on FreeBSD to interactively become a user
>>with no real shell (true, nologin etc).
>>    
>>
>
>It should be possible to type:
>
>	su username
>
>i.e. here's an ftp session on my laptop:
>
>	root@kobe:/root# fgrep ftp: /etc/passwd
>	ftp:*:1003:1003:&; user:/home/ftp:/usr/sbin/nologin
>	root@kobe:/root# su ftp
>	root@kobe:/root$ id
>	uid=1003(ftp) gid=1003 groups=1003
>	root@kobe:/root$
>
>Good idea, though :)
>  
>
Must be new, because in 5.4 I get:

100 {root @ cartman} # fgrep ftp: /etc/passwd
ftp:*:6000:6000:Anon FTP:/home/ftp:/usr/sbin/nologin
101 {root @ cartman} # su ftp
This account is currently not available.
102 {root @ cartman} # id
uid=0(root) gid=0(wheel) groups=0(wheel)
103 {root @ cartman} # su -m ftp
(ftp@cartman)1% id
uid=6000(ftp) gid=6000(ftp) groups=6000(ftp)
(ftp@cartman)2% exit
104 {root @ cartman} # /usr/sbin/nologin
This account is currently not available.
105 {root @ cartman} # alias su
106 {root @ cartman} # which su
/usr/bin/su

I find the behaviour you get definitely undesirable.  There are 
occasionally accounts have special purpose shells which do work in some 
restricted fashion which you *might* want to use (in which case you can 
su) or which you might not (so you su -m).  I don't know off hand of any 
PD examples, but I maintain some proprietary software which has an 
account which uses a "shell" which understands various keywords and 
commands, which restricts what you can do over ssh, for example.  But 
for maintenance you sometimes just want to be that user with a regular 
shell.  I can't see how to achieve that given the behaviour you seem to 
get with su.

I seem to recall mharc being a bit like this - certainly needed the 
Linux equivalent "su -s /bin/csh" when doing stuff with it.

There's no indication in the online man pages that su should behave the 
way you've shown it, unless I'm missing something (a distinct 
possibility :-)).  Even the page from FreeBSD-7 says "The invoked shell 
is the one belonging to the target login."  Your /usr/sbin/nologin isn't 
a real shell, is it?  Or you have some alias for su?  Who knows, maybe 
it's because I run csh - there does seem to be special case code for it 
in su.c but I can't see how it would have this effect!

Confused.

--Alex




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4734A293.7040106>