From: Martin Steigerwald <martin@lichtvoll.de>
To: Karel Zak <kzak@redhat.com>
Cc: util-linux@vger.kernel.org
Subject: Re: Debian´s change of "su" to the one in util-linux
Date: Mon, 06 Aug 2018 10:33:48 +0200 [thread overview]
Message-ID: <9527938.bmH0D6gqrg@merkaba> (raw)
In-Reply-To: <20180806064747.if5vniu65nsibfvg@ws.net.home>
Karel Zak - 06.08.18, 08:47:
> On Sun, Aug 05, 2018 at 10:35:34AM +0200, Martin Steigerwald wrote:
> > ownership preserved. However, for accessing the remote servers it
> > needs access to the SSH agent running in the user session. The
> > backup scripts uses commands that are in "sbin" related
> > directories.
>
> This is common misunderstanding with su/sudo.
>
> su(1) creates a new *session* -- it means all the PAM stuff, all
> logging, extra session parent process, etc. It's almost always
> overkill to use such commands if all you need is a different UID.
>From the viewpoint of the "loginctl" command from "systemd-logind" it
does not. "loginctl" always displays one session, no matter how many
"su" sessions I have open.
But I bet sessions are something different in different contexts.
> > And then: How to implement a backup script that needs root access
> > for
> > most operations, but also requires access to SSH agent from a user
> > setup? Dig out the environment variables of the SSH agent myself?
> > Let
> > the script run as a user and use "setprivs" that is mentioned as
> > recommend in the "su" manpage, yet is in a different package
> > altogether and not part of "util-linux".
>
> setpriv(1) is the right choice and it's part of util-linux (at least
> in upstream tree).
Thanks for that hint. I now found that the "setpriv" binary package in
Debian is from the "util-linux" source package.
However I do not see how "setpriv" would be appropriate for my use case.
Just as "runuser" it can only be used as "root". It cannot be used by a
regular user, as it can only drop privileges and does not ask for a
password.
> > Also… login.defs manpage from shadow project does not mention
> > "ALWAYS_SET_PATH", but manpage of su from util-linux does mention
> > it.
> > And there does not appear to be a manpage about "login.defs" in
> > "util- linux" package at all. (I found before that there appears to
> > be a huge, big mess about some things in "util-linux", some in
> > "shadow" and some in both).
>
> "login.defs" is shared between many projects and tools. We have all
> related options described in tool specific man pages -- for example in
> su(1).
Okay, noted. It of course adds to the confusion. And it feels
inconsistent for it.
And as I wrote in my reply to Ted´s mail: The "login" command from
"shadow" project does not understand the "ALWAYS_SET_PATH" option the
"su" command from "util-linux" project knows.
However I am not at all for "systemd"-ing this as well. But I wonder
whether the current split of "shadow" and "util-linux" is all that
beneficial. At least in that case I of using the "login.defs" file for
both, I´d expect the tools to ignore unknown configuration options, but
this has the risk to let a configuration error go unnoticed.
Thanks,
--
Martin
prev parent reply other threads:[~2018-08-06 10:41 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-08-05 8:35 Debian´s change of "su" to the one in util-linux Martin Steigerwald
2018-08-05 10:43 ` Dmitry V. Levin
2018-08-05 15:05 ` Theodore Y. Ts'o
2018-08-06 8:24 ` Martin Steigerwald
2018-08-06 13:21 ` Theodore Y. Ts'o
2018-08-06 14:43 ` Karel Zak
2018-08-06 15:56 ` Bernhard Voelker
2018-08-06 6:47 ` Karel Zak
2018-08-06 8:33 ` Martin Steigerwald [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=9527938.bmH0D6gqrg@merkaba \
--to=martin@lichtvoll.de \
--cc=kzak@redhat.com \
--cc=util-linux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).