Date: Sat, 3 Oct 2015 10:28:06 -0700 From: Bryan Drewery <bdrewery@FreeBSD.org> To: "Simon J. Gerraty" <sjg@juniper.net> Cc: Jilles Tjoelker <jilles@stack.nl>, freebsd-arch@freebsd.org Subject: Re: login -f changing session getlogin(2) Message-ID: <56101026.7060206@FreeBSD.org> In-Reply-To: <28007.1443892369@chaos> References: <560D826D.7000302@FreeBSD.org> <20151001203436.GA22737@stack.nl> <560DAD6D.7050007@FreeBSD.org> <28007.1443892369@chaos>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --nkGgVw4RAIAwg0A75rEiDIW8A5Ww39wpH Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 10/3/2015 10:12 AM, Simon J. Gerraty wrote: > Hi Bryan >=20 >>>> It makes me wonder if there's bigger architectural issues here that = need >>>> addressing with session and login. Perhaps login -f is just a specia= l >>>> case though. >=20 > As others have indicated your use of 'login -f' is "unexpected". >=20 >> Well, none of that is documented or its use discouraged. It has been >=20 > People document what they expect others need to know - and that is > framed by their own expectations of usage. > Thus lack of a documented admonition against every possible usage, does= > not constitute a guarantee of support. >=20 > When eventually someone uses something in an "unexpected" way, > and encounters problems, there are basically three options. >=20 > 1/ document that that should not be done, or that problems may arise >=20 > 2/ prevent it being done >=20 > 3/ make it work >=20 >> And actually, 'su -l' NOT calling setlogin(2) is another surprise. I >> have used 'login -f' precisely because it simulates a real login and >> sets up the environment as the user. If I am dropping into a user's >> shell I expect things like 'mail' to have their FROM not root or >> wherever I came from in my session. >=20 > Masquerading as another user to that extent, sounds somewhat disturbing= > actually, and not something that should really be optimized for. >=20 > So I'd guess in this case that #1 is the correct option. >=20 This still ignores that 'su -l' does the opposite. Sometimes sysadmins need to masquerade as users for support. Having a user hand over their SSH password, or adding a password to a service user that should NOT have remote access, is not the answer. There needs to be a way to login fully as a user for debugging issues as that user. --=20 Regards, Bryan Drewery --nkGgVw4RAIAwg0A75rEiDIW8A5Ww39wpH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBAgAGBQJWEBAmAAoJEDXXcbtuRpfPQIcH/3uaBz3eumhuewPLDyxEDIjc gPaFyXy9ALSjMIvbI8n0MN2HG15sNC4IXhnLW2daONlp9LR3m43pOOvE5PjWk585 1mkIYNKNQ8p+GDUbZexaBxtTReSXM5RmUypYk9Hm3A5SfSs85wCXuyL9/HX8XzTP 1KCIyCDjx7bO8KJiTs87yNaiFar/FfrY1rm/PxhLiIx6vJSjnZziQ8FgsL/jzrCR va/mnBXx42ipp5MBLxfuz1xXmn6eUZmkJXnFrpRaWy3gFCxKuCdMFueLhzqQvzOs 7I9p06Rl0uYJvTTMc+6oGgmIWfEdKDBl02N24ncatYMISRViswXOIGvOyF2ytrg= =LQl1 -----END PGP SIGNATURE----- --nkGgVw4RAIAwg0A75rEiDIW8A5Ww39wpH--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?56101026.7060206>