From owner-freebsd-arch@freebsd.org  Sat Oct  3 17:28:04 2015
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 598CCA0FE0C
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Sat,  3 Oct 2015 17:28:04 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 3DB5F1012;
 Sat,  3 Oct 2015 17:28:04 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [IPv6:::1])
 by freefall.freebsd.org (Postfix) with ESMTP id 3692315B1;
 Sat,  3 Oct 2015 17:28:04 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [172.31.3.2])
 by mail.xzibition.com (Postfix) with ESMTP id DBA9B14610;
 Sat,  3 Oct 2015 17:28:03 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail.xzibition.com
Received: from mail.xzibition.com ([172.31.3.2])
 by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new,
 port 10026)
 with LMTP id ec_H4RP1IAbE; Sat,  3 Oct 2015 17:28:01 +0000 (UTC)
Subject: Re: login -f changing session getlogin(2)
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com 9FD7714602
To: "Simon J. Gerraty" <sjg@juniper.net>
References: <560D826D.7000302@FreeBSD.org> <20151001203436.GA22737@stack.nl>
 <560DAD6D.7050007@FreeBSD.org> <28007.1443892369@chaos>
Cc: Jilles Tjoelker <jilles@stack.nl>, freebsd-arch@freebsd.org
From: Bryan Drewery <bdrewery@FreeBSD.org>
Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF;
 url=http://www.shatow.net/bryan/bryan2.asc
Organization: FreeBSD
Message-ID: <56101026.7060206@FreeBSD.org>
Date: Sat, 3 Oct 2015 10:28:06 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <28007.1443892369@chaos>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="nkGgVw4RAIAwg0A75rEiDIW8A5Ww39wpH"
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Oct 2015 17:28:04 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--nkGgVw4RAIAwg0A75rEiDIW8A5Ww39wpH
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 10/3/2015 10:12 AM, Simon J. Gerraty wrote:
> Hi Bryan
>=20
>>>> It makes me wonder if there's bigger architectural issues here that =
need
>>>> addressing with session and login. Perhaps login -f is just a specia=
l
>>>> case though.
>=20
> As others have indicated your use of 'login -f' is "unexpected".
>=20
>> Well, none of that is documented or its use discouraged. It has been
>=20
> People document what they expect others need to know - and that is
> framed by their own expectations of usage.
> Thus lack of a documented admonition against every possible usage, does=

> not constitute a guarantee of support.
>=20
> When eventually someone uses something in an "unexpected" way,
> and encounters problems, there are basically three options.
>=20
> 1/ document that that should not be done, or that problems may arise
>=20
> 2/ prevent it being done
>=20
> 3/ make it work
>=20
>> And actually, 'su -l' NOT calling setlogin(2) is another surprise. I
>> have used 'login -f' precisely because it simulates a real login and
>> sets up the environment as the user. If I am dropping into a user's
>> shell I expect things like 'mail' to have their FROM not root or
>> wherever I came from in my session.
>=20
> Masquerading as another user to that extent, sounds somewhat disturbing=

> actually, and not something that should really be optimized for.
>=20
> So I'd guess in this case that #1 is the correct option.
>=20

This still ignores that 'su -l' does the opposite.

Sometimes sysadmins need to masquerade as users for support. Having a
user hand over their SSH password, or adding a password to a service
user that should NOT have remote access, is not the answer.  There needs
to be a way to login fully as a user for debugging issues as that user.

--=20
Regards,
Bryan Drewery


--nkGgVw4RAIAwg0A75rEiDIW8A5Ww39wpH
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJWEBAmAAoJEDXXcbtuRpfPQIcH/3uaBz3eumhuewPLDyxEDIjc
gPaFyXy9ALSjMIvbI8n0MN2HG15sNC4IXhnLW2daONlp9LR3m43pOOvE5PjWk585
1mkIYNKNQ8p+GDUbZexaBxtTReSXM5RmUypYk9Hm3A5SfSs85wCXuyL9/HX8XzTP
1KCIyCDjx7bO8KJiTs87yNaiFar/FfrY1rm/PxhLiIx6vJSjnZziQ8FgsL/jzrCR
va/mnBXx42ipp5MBLxfuz1xXmn6eUZmkJXnFrpRaWy3gFCxKuCdMFueLhzqQvzOs
7I9p06Rl0uYJvTTMc+6oGgmIWfEdKDBl02N24ncatYMISRViswXOIGvOyF2ytrg=
=LQl1
-----END PGP SIGNATURE-----

--nkGgVw4RAIAwg0A75rEiDIW8A5Ww39wpH--