Date: Mon, 9 Jul 2018 14:13:40 -0500 From: Guy Helmer <guy.helmer@gmail.com> To: "Julian H. Stacey" <jhs@berklix.com> Cc: current@freebsd.org Subject: Re: How to add su to /rescue ? Message-ID: <2ACD0DE9-3C43-48DE-BD5A-E074E1A4740E@gmail.com> In-Reply-To: <201807091154.w69Bs7Ha024391@fire.js.berklix.net> References: <201807091154.w69Bs7Ha024391@fire.js.berklix.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Jul 9, 2018, at 6:54 AM, Julian H. Stacey <jhs@berklix.com> wrote: >=20 > Hi current@ > I want to add su to /rescue, but got stuck on pam. > Old unix su didn't suffer from pam. > There's no #define in su to turn off pam. > Man src.conf says WITHOUT_PAM is deprecated & does nothing. >=20 > Can someone please offer a solution ? > Or better to include a simple BSD su pre pam ? > I would happily develop a patch for that. Hi, Aside from not being able to use pam from a static executable, please = don=E2=80=99t try to make the crunched hard-linked executable in /rescue = setuid-root (su is useless without it). That would mean anyone running = /rescue/sh gets a root shell :-) Conceptually, a separate crunchgen binary could be made for setuid-root = purposes, but having a setuid-root binary in /rescue (outside of the = normal hierarchy) makes me nervous. Regards, Guy=20 >=20 > Notes to explain the need, & patches from my > http://berklix.com/~jhs/src/bsd/fixes/freebsd/src/gen/rescue/ > --------- >=20 > Patch[es] below to solve this emailed scenario: >> Please on prison-host cp /lib/libc.so.7 = /tank/ezjail/my-domain/lib/libc.so.7 >> I am logged in on jail-host, but only as normal-user, not root, so I = cannot run >> /rescue/cp /usr/obj/usr/src/lib/libc/libc.so.7 /lib/libc.so.7 >>=20 >> a my make installworld on jail-host.my-domain previously failed with >> =3D=3D=3D> lib/libc (install) >> install -C -o root -g wheel -m 444 libc.a /usr/lib >> install -C -o root -g wheel -m 444 libc_p.a /usr/lib >> install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib >> install: /lib/libc.so.7: chflags: Operation not permitted >> *** Error code 71 >> (might or not be an artifact of being in a jail) >>=20 >> unfortunately I had run the command as >> xs make installworld >> (xs is my own little root wrapper) >> so when it exited, I was just normal-user not root, & I had forgotten = to >> open another xterm & leave it logged in as root, >> & I found no /rescue/su >=20
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2ACD0DE9-3C43-48DE-BD5A-E074E1A4740E>