[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#8700: Simple way to switch user/group permissions without requiring
bug#8700: Simple way to switch user/group permissions without requiring PAM sessions
Wed, 28 Mar 2012 16:26:37 +0100
Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20110816 Thunderbird/6.0
On 05/19/2011 03:22 PM, Jim Meyering wrote:
> Colin Watson wrote:
>> Every so often I wish that there existed (preferably in the Debian base
>> system) a tool analogous to chroot that drops privileges from root to a
>> nominated user, group, etc. and runs a given program.
>> Of course I do know about su, sudo, etc., but:
>> * su and sudo are often configured to start a PAM session with noisy
>> logging etc.;
>> * su has a messy historical command-line syntax that requires fiddly
>> * sudo isn't installed everywhere;
>> * these programs all have lots of authentication baggage, which is
>> thoroughly overkill when I'm writing shell scripts that run as root
>> and just want to quickly run a program as some other user.
>> One example of when I want to use this is in Debian's
>> /etc/cron.daily/man-db script. Towards the end of this, I want to run
>> the mandb program as the 'man' user. I ended up using Debian's
>> start-stop-daemon, which happens to be able to run something in the
>> foreground as a different user; but mandb is not a daemon,
>> start-stop-daemon isn't universal, and so this all feels like a hack.
>> In other similar situations I've ended up with a couple of lines of
>> Perl, something like:
>> perl -e '@pwd = getpwnam("man"); $( = $) = $pwd; $< = $> = $pwd;
>> exec "/usr/bin/mandb", @ARGV' -- "$@"
>> Again, though: punctuation-heavy, not trivial to get exactly right,
>> delicate quoting, and so on.
>> It seems to me that we could use something which can do ID switches away
>> from root without all the authentication stuff, and could be simple
>> enough to go in coreutils and ultimately end up on all GNUish systems.
>> When I complained about the lack of this on a local IRC channel, Ian
>> Jackson (CCed) pointed out that his 'really' tool is pretty close to
>> this; it does have some very simple authentication code, but that's easy
>> to strip out, and the rest is almost identical to what I'd want to see
>> in such a tool. He did say that he'd prefer it not to be called
>> 'really' if it's not installed setuid; I suggest 'chid' by analogy with
>> chroot, chcon, etc.
>> The source for 'really' is here (and though while I can't speak for him
>> I suspect Ian would be happy to do FSF assignment and such, since he's
>> already a GNU maintainer):
>> Another piece of prior art is the 'runas' tool in titantools. However,
>> this is under a non-free licence and its command line interface is not
>> all that great IMO, so it's probably only useful to know about it to
>> avoid using the same (tempting) name.
> Hi Colin,
> coreutils already has a minimalist src/setuidgid.c, but currently it's
> not installed. Rather, it is used only when running the test suite:
> $ ./setuidgid --help
> Usage: ./setuidgid [SHORT-OPTION]... USER COMMAND [ARGUMENT]...
> or: ./setuidgid LONG-OPTION
> Drop any supplemental groups, assume the user-ID and group-ID of the
> USER (numeric ID or user name), and run COMMAND with any specified
> Exit with status 111 if unable to assume the required user and group ID.
> Otherwise, exit with the exit status of COMMAND.
> This program is useful only when run by root (user ID zero).
> -g GID[,GID1...] also set the primary group-ID to the numeric GID, and
> (if specified) supplemental group IDs to GID1, ...
> --help display this help and exit
> --version output version information and exit
> Does that do what you'd like?
> If so, do you feel like writing a few words in coreutils.texi
> so this part of it's --help is no longer a lie?
> For complete documentation, run: info coreutils 'setuidgid invocation'
> Also, if we're going to install it, we'd have to have a few tests,
> just for it, to exercise its functionality.
> I like your proposed name of "chid".
> I took a peek at "really" and see that it has several more options
> than setuidgid. If you'd expect to use some of those, we should
> discuss. For example, is --chroot just a convenience? It'd be
> useful to explain in the documentation when/how it can be useful.
> I'm game if you are willing to write the patch, with documentation and tests.
This is essentially what the runuser command from Fedora does,
and that is based on the coreutils su command.
How about we just incorporate `runuser` into coreutils upstream?
- bug#8700: Simple way to switch user/group permissions without requiring PAM sessions,
Pádraig Brady <=