Date: Thu, 26 Jun 2025 14:02:23 +1000 From: Dewayne Geraghty <dewayne@heuristicsystems.com.au> To: questions@freebsd.org Subject: Re: two questions about su(1) Message-ID: <d1dbf81a-a975-4edc-9d55-3e1a6a794ddb@heuristicsystems.com.au> In-Reply-To: <85bac60f-82df-075a-4e3c-d113301aa53f@bluerosetech.com> References: <2810770.4sosBPzcNG@localhost> <85bac60f-82df-075a-4e3c-d113301aa53f@bluerosetech.com>
index | next in thread | previous in thread | raw e-mail
Paul,
Just expanding on bluerosetech's answer
Q 1. The user needs to authenticate before su looks-up the class record
for the user in login.conf.db. Are you using a class zsh? :)
Q 2. For example
su -c Bobs_class Alice -c "$Process $Args"
is very useful when testing (or running) Processes that you don't wont
to run as root and would like to monitor process behaviour with
different class attributes.
Using classes via login.conf helps (me) to restrict process behaviour.
Its particularly useful when using jails, as the restrictions that you
apply to a class are applied to the user logging into a jail - I
typically use classes to change MAC labels, process priority, cpu and
memory limits and open files. For example
jexec -U Alice $Jail $Process
will use the class that Alice has been assigned (within the jail).
An example of a modified record in my login.conf
audit:\
:openfiles=16:\
:priority=-6:\
:label=partition/3:\
:tc=itsp:
su with classes is very useful mechanism.
Cheers.
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?d1dbf81a-a975-4edc-9d55-3e1a6a794ddb>