From owner-freebsd-current@freebsd.org Thu Jul 12 18:58:13 2018 Return-Path: Delivered-To: freebsd-current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id BFBEB1034557 for ; Thu, 12 Jul 2018 18:58:13 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 5BD79798F5 for ; Thu, 12 Jul 2018 18:58:13 +0000 (UTC) (envelope-from jhs@berklix.com) Received: by mailman.ysv.freebsd.org (Postfix) id 1A85B1034554; Thu, 12 Jul 2018 18:58:13 +0000 (UTC) Delivered-To: current@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 079701034553 for ; Thu, 12 Jul 2018 18:58:13 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from land.berklix.org (land.berklix.org [144.76.10.75]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "land.berklix.org", Issuer "land.berklix.org" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 83D70798EB for ; Thu, 12 Jul 2018 18:58:11 +0000 (UTC) (envelope-from jhs@berklix.com) Received: from mart.js.berklix.net (pD9FA3756.dip0.t-ipconnect.de [217.250.55.86]) (authenticated bits=0) by land.berklix.org (8.15.2/8.15.2) with ESMTPSA id w6CIviDe025342 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 12 Jul 2018 18:57:53 GMT (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (fire.js.berklix.net [192.168.91.41]) by mart.js.berklix.net (8.14.3/8.14.3) with ESMTP id w6CIviLT081356; Thu, 12 Jul 2018 20:57:44 +0200 (CEST) (envelope-from jhs@berklix.com) Received: from fire.js.berklix.net (localhost [127.0.0.1]) by fire.js.berklix.net (8.14.7/8.14.7) with ESMTP id w6CIv7TX089208; Thu, 12 Jul 2018 20:57:24 +0200 (CEST) (envelope-from jhs@berklix.com) Message-Id: <201807121857.w6CIv7TX089208@fire.js.berklix.net> To: Guy Helmer cc: current@freebsd.org cc: Diane Bruce Subject: Re: How to add su to /rescue ? From: "Julian H. Stacey" Organization: http://berklix.eu BSD Unix Linux Consultants, Munich Germany User-agent: EXMH on FreeBSD http://berklix.eu/free/ X-From: http://www.berklix.eu/~jhs/ In-reply-to: Your message "Mon, 09 Jul 2018 14:13:40 -0500." <2ACD0DE9-3C43-48DE-BD5A-E074E1A4740E@gmail.com> Date: Thu, 12 Jul 2018 20:57:07 +0200 X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.27 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 12 Jul 2018 18:58:13 -0000 Guy Helmer wrote: > > On Jul 9, 2018, at 6:54 AM, Julian H. Stacey wrote: > > Hi current@ > > I want to add su to /rescue, but got stuck on pam. > > Old unix su didn't suffer from pam. > > There's no #define in su to turn off pam. > > Man src.conf says WITHOUT_PAM is deprecated & does nothing. > > > > Can someone please offer a solution ? > > Or better to include a simple BSD su pre pam ? > > I would happily develop a patch for that. > Hi, > Aside from not being able to use pam from a static executable, please don’t try to make the crunched hard-linked executable in /rescue setuid-root (su is useless without it). That would mean anyone running /rescue/sh gets a root shell :-) Thanks Guy ! Yes all SUID 0 would be very wrong. > Conceptually, a separate crunchgen binary could be made for setuid-root purposes, but having a setuid-root binary in /rescue (outside of the normal hierarchy) makes me nervous. In case other suid things are also needed later, I created a local src/rescue/suid/ with an old su.c pre PAM, Thanks to Diane Bruce, & a diff & Makefile to drive it. http://berklix.com/~jhs/src/bsd/fixes/freebsd/src/gen/rescue/ It works, but improvements welcome. Cheers, Julian -- Julian Stacey, Computer Consultant, Systems Engineer, BSD Linux Unix, Munich Brexit Referendum stole 3.7 million votes inc. 700,000 from British in EU. UK Goverment lies it's democratic in Article 50 paragraph 3 of letter to EU. http://exitbrexit.uk