From owner-freebsd-arch@freebsd.org  Sat Oct  3 20:14:35 2015
Return-Path: <owner-freebsd-arch@freebsd.org>
Delivered-To: freebsd-arch@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3D76FA0EA82
 for <freebsd-arch@mailman.ysv.freebsd.org>;
 Sat,  3 Oct 2015 20:14:35 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org
 [IPv6:2001:1900:2254:206c::16:87])
 by mx1.freebsd.org (Postfix) with ESMTP id 227681868;
 Sat,  3 Oct 2015 20:14:35 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [IPv6:::1])
 by freefall.freebsd.org (Postfix) with ESMTP id 1A1E5132A;
 Sat,  3 Oct 2015 20:14:35 +0000 (UTC)
 (envelope-from bdrewery@FreeBSD.org)
Received: from mail.xzibition.com (localhost [172.31.3.2])
 by mail.xzibition.com (Postfix) with ESMTP id B9A7714B19;
 Sat,  3 Oct 2015 20:14:34 +0000 (UTC)
X-Virus-Scanned: amavisd-new at mail.xzibition.com
Received: from mail.xzibition.com ([172.31.3.2])
 by mail.xzibition.com (mail.xzibition.com [172.31.3.2]) (amavisd-new,
 port 10026)
 with LMTP id FtnhYrHvqvsA; Sat,  3 Oct 2015 20:14:27 +0000 (UTC)
Subject: Re: login -f changing session getlogin(2)
DKIM-Filter: OpenDKIM Filter v2.9.2 mail.xzibition.com C235D14B12
To: "Simon J. Gerraty" <sjg@juniper.net>
References: <560D826D.7000302@FreeBSD.org> <20151001203436.GA22737@stack.nl>
 <560DAD6D.7050007@FreeBSD.org> <28007.1443892369@chaos>
 <56101026.7060206@FreeBSD.org> <16315.1443901877@chaos>
Cc: Jilles Tjoelker <jilles@stack.nl>, freebsd-arch@FreeBSD.org
From: Bryan Drewery <bdrewery@FreeBSD.org>
Openpgp: id=F9173CB2C3AAEA7A5C8A1F0935D771BB6E4697CF;
 url=http://www.shatow.net/bryan/bryan2.asc
Organization: FreeBSD
Message-ID: <56103728.5060008@FreeBSD.org>
Date: Sat, 3 Oct 2015 13:14:32 -0700
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:38.0) Gecko/20100101
 Thunderbird/38.3.0
MIME-Version: 1.0
In-Reply-To: <16315.1443901877@chaos>
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="tUNxucJfQ7HSpul61VGCumJ8gE7rgAJ1q"
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sat, 03 Oct 2015 20:14:35 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--tUNxucJfQ7HSpul61VGCumJ8gE7rgAJ1q
Content-Type: text/plain; charset=windows-1252
Content-Transfer-Encoding: quoted-printable

On 10/3/2015 12:51 PM, Simon J. Gerraty wrote:
> Bryan Drewery <bdrewery@FreeBSD.org> wrote:
>> This still ignores that 'su -l' does the opposite.
>=20
> The opposite of what?
> fwiw I'm not sure I'd want su - calling setlogin()
> but then I'm never trying to really masquerade as someone else to the
> extent that would matter.

I said this in another mail. su -l does not change logname, so things
like 'mail' send the mail as 'root' rather than the user.

su.1 claims to set USER to the target user. It does, but lacking the
documentation for a kernel implementation detail of logname it does not
convey that setting USER is not the full story.

So both login and su have unexpected behavior no matter how you look at i=
t.

>=20
>> Sometimes sysadmins need to masquerade as users for support. Having a
>> user hand over their SSH password, or adding a password to a service
>> user that should NOT have remote access, is not the answer.  There nee=
ds
>> to be a way to login fully as a user for debugging issues as that user=
=2E
>=20
> There are many ways to skin that cat (eg append your pub key to their
> .ssh/authorized_keys)
> The easiest is to just use 'login -f' as you are doing, and when
> finished logout completely.

Why does SSH need to even be involved here? This is what I mean by
bigger issues.

--=20
Regards,
Bryan Drewery


--tUNxucJfQ7HSpul61VGCumJ8gE7rgAJ1q
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJWEDcoAAoJEDXXcbtuRpfPnWgH/R7hl/zFj+yKotIaTB+GYAhT
nt6o2rsW/9rpsvNXSrBcHds3c5jA9vUZNUANju6j8TueHpgDsKnaowcEnhwQpKNd
O26onp7ZfFtPeHoa8uG+AsEZj/YR8nFLuHD6WzLGdzh5l5nygmj3S2CBwOVFph6a
lPuSbIVRqDKqTUovgnEhJNZzTnMA1wGLgKt82EKjiW+JAe5mCeXgjFFcElKWndoF
VmgT2PkS0Rlzo4WflHffXzp7MycCWAsY9u27DH/WVrF9B+vOaWDVmrcWSyrBRqJ7
tJv+vryRsFXVkYDQ18RX1FviFcyz0wnr+BaIV/jLT3gOvZyPnTIkRAdccwaDXzU=
=vigG
-----END PGP SIGNATURE-----

--tUNxucJfQ7HSpul61VGCumJ8gE7rgAJ1q--