From owner-freebsd-stable Tue Apr 3 11:51:33 2001 Delivered-To: freebsd-stable@freebsd.org Received: from guru.mired.org (okc-65-26-235-186.mmcable.com [65.26.235.186]) by hub.freebsd.org (Postfix) with SMTP id A6A6837B720 for ; Tue, 3 Apr 2001 11:51:22 -0700 (PDT) (envelope-from mwm@mired.org) Received: (qmail 85540 invoked by uid 100); 3 Apr 2001 18:51:21 -0000 From: Mike Meyer MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <15050.7081.662834.357741@guru.mired.org> Date: Tue, 3 Apr 2001 13:51:21 -0500 To: "Matthew Emmerton" Cc: "Kherry Zamore" , , Subject: Re: su change? In-Reply-To: <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> References: <005401c0bc63$7cb36650$0202a8c0@majorzoot> <001f01c0bc68$681a2b20$1200a8c0@gsicomp.on.ca> X-Mailer: VM 6.90 under 21.1 (patch 14) "Cuyahoga Valley" XEmacs Lucid X-face: "5Mnwy%?j>IIV\)A=):rjWL~NB2aH[}Yq8Z=u~vJ`"(,&SiLvbbz2W`;h9L,Yg`+vb1>RG% *h+%X^n0EZd>TM8_IB;a8F?(Fb"lw'IgCoyM.[Lg#r\ Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Matthew Emmerton types: > > According to su.c, if the user you are changing to does not have a valid > > shell, su complains and exits. A valid thing to do in today's security > > conscience society. Now, lets say you want to become root to fix this > > invalid shell problem.. su's nature is to complain and exit. The fix is > > rather simple, somewhere around line 310 in su.c is: > > > > if (!chshell(pwd->pw_shell) && ruid) > > errx(1, "permission denied (shell)."); > > > > The only thing we need to prepend to this is a check to see if we are > trying > > to su to root, which we should allow regardless of the shell specified: > I disagree. The root account is an account that needs to have the highest > number of security checks present. If you're swift enough to change root's > shell to something non-standard and forget to update /etc/shells, then > having to drop to single user mode is suitable punishment. After all, > playing with the root user is like playing with fire -- sooner or later > you're going to get burned. The fix he suggested isn't for the case of root's shell not being in /etc/shells, it's for the case of root's shell not being an executable. If root shell isn't in /etc/shells, then stock su with no arguments will work just fine - you'll just get the non-standard shell. If root's shell isn't executable, then su with no flags fails because the exec of the shell fails. If you try and use the "-m" flag to su and start your shell, the quoted code causes a failure. Only root (the "&& ruid" test) is allowed to su to an account with a non-standard shell without using the non-standard shell. If you hit that case, and don't have a root shell around, you're pretty much hosed. You have to power cycle to get the machine to a state where this can be fixed, whether that means just booting single-user, or booting from an alternate media of some kind, or something really extreme. Sudo can probably be configured to solve the problem as well. This just expands the current policy of "Only root can get a standard shell for an account with a non-standard shell" to include the case where the account is root. I think it would be better if the code showed that, though: if (!chshell(pwd->pwd_shell) && ruid && pwd->pw_uid) errx(1, "permission denied (shell)."); but that's just me. On the other hand, I advise against changing root shell, and this lends weight to that advice. http://www.mired.org/home/mwm/ Independent WWW/Perforce/FreeBSD/Unix consultant, email for more information. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message