Control: tags -1 - moreinfo
On Thu, 14 Feb 2019 19:28:29 +0000 Simon McVittie wrote:
> On Sat, 09 Feb 2019 at 23:26:53 +0100, Francesco Poli wrote:
> > On Sat, 9 Feb 2019 22:31:14 +0100 Michael Biebl wrote:
> > > I guess I already mentioned the two alternatives (runuser/setpriv).
> > [...]
> >
> > Maybe setpriv is equivalent to s6-setuidgid.
> > If this is the case, it can be used as an alternative to s6-setuidgid.
>
[...]
> Running `setpriv --reuid NAME --init-groups PROGRAM ARGS` appears to be
> equivalent to `s6-setuidgid NAME PROGRAM ARGS`.
OK, thanks for the explanation.
I'll try to find some time to experiment and apply this change to
apt-listbugs. Since buster is already in soft freeze, the modification
will probably have to be meant for buster+1 ...
[...]
> > I would like some insight especially on [message #30], regarding the
> > fact that runuser does something basically equivalent to what su does,
> > and thus seems to be unfit to irreversibly drop root privileges
>
> The major difference between {setpriv,s6-setuidgid} and runuser is that
> runuser, like su, sets up a new PAM session and re-initializes some
> standard environment variables.
>
> Also like su, if run with -l, it also tries to behave like a login shell
> (clears more environment variables, changes to the target user's home
> directory, etc.) and runs a different PAM stack (which registers with
> systemd-logind, if installed, as a new login session).
>
> However, runuser is not setuid (unlike su), so it cannot increase
> privileges, only drop them. The only thing it *can* do is to drop root
> privileges; so if you consider it to be unfit to do that for some reason,
> it would have no purpose at all.
As far as I understand it (after reading the [web page] cited in
the commit where I introduce the s6 recommendation into apt-listbugs),
the problem with su and similar programs is not that they cannot drop
root privileges, but that they cannot do so irreversibly.
[web page]: <https://jdebp.eu/FGA/dont-abuse-su-for-dropping-privileges.html>
However, this is not especially important now, since we are talking
about replacing s6-setuidgid with setpriv...
[...]
> > and
> > regarding my search for a command that works like s6-setuidgid, but
> > runs the given command inside the user's login shell (with all the
> > environment that the user would get on a normal login).
>
> As stated, this isn't really well-defined. Whether and how this is
> possible depends what you mean by "a normal login". The execution
> environment the user would get from login(1) as invoked by getty(8),
> from a display manager like xdm, and from sshd are all different (they
> invoke different PAM stacks); and that's before you've even entered
> any shells.
[...]
Wow, thanks a lot for the very long and detailed explanations!
They were an interesting read that clarified some points.
--
http://www.inventati.org/frx/
There's not a second to spare! To the laboratory!
..................................................... Francesco Poli .
GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpkexsv1GzgQ.pgp
Description: PGP signature
