From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: Ted Toth <txtoth@gmail.com>, SELinux <selinux@tycho.nsa.gov>
Subject: Re: su vs runuser
Date: Thu, 18 Aug 2011 06:40:09 -0400 [thread overview]
Message-ID: <4E4CEC09.5020300@redhat.com> (raw)
In-Reply-To: <1313593741.28571.36.camel@moss-pluto>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 08/17/2011 11:09 AM, Stephen Smalley wrote:
> On Wed, 2011-08-17 at 09:30 -0500, Ted Toth wrote:
>> I've read that I should use runuser instead of su and I was having
>> a problem getting a script to transition properly until I changed
>> it to use runuser but I'm not clear on why this is. Can someone
>> help me with an elevator speech that I can use when trying to
>> explain this to others?
>
> runuser runs in the same uid (i.e. it is not setuid-root) and
> security context as the caller - it isn't a trusted application. It
> can only be used if the caller is already privileged. It never
> requires authentication, and thus can be easily used in
> non-interactive scripts.
>
> su is a setuid-root program that typically runs in a different
> security context than the caller so that it can read user
> authentication secrets (/etc/shadow) and switch identities even if
> the caller can't directly do so. Early versions of Fedora/RHEL also
> put pam_selinux into /etc/pam.d/su, causing it to explicitly switch
> to the new user's security context, but that was later removed. But
> even without that, there is a security context transition when you
> invoke su (to enter su's domain so that you can read /etc/shadow and
> switch uid) and when su invokes the user shell or command (to
> transition back to the original caller's domain).
>
The actual first line of runuser.c is
#include "su.c"
So basically they are the exact same program, except, runuser has its
own version of the pam stack functions that just return success.
Bottom line. runuser is su without the pam_stack, it does not try to
run anything that is in /etc/pam.d/su.
Pretty much you have to run runuser as root and really should be used in
init scripts.
If you don't need to use any of the functionality in the pam stack, use
runuser, if you need to user "setuid" privs and want stuff in the pam
stack to run use su.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk5M7AkACgkQrlYvE4MpobMVQACfUXL2RVMSMtltRtHnMqsoUgN6
8TIAn3WfJJy7b4IxPoFU2jFffbcB1+3u
=1g8T
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2011-08-18 10:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-08-17 14:30 su vs runuser Ted Toth
2011-08-17 15:09 ` Stephen Smalley
2011-08-18 10:40 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4E4CEC09.5020300@redhat.com \
--to=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
--cc=txtoth@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.