Control: tags -1 - moreinfo
On Thu, 14 Feb 2019 19:28:29 +0000 Simon McVittie wrote: > On Sat, 09 Feb 2019 at 23:26:53 +0100, Francesco Poli wrote: > > On Sat, 9 Feb 2019 22:31:14 +0100 Michael Biebl wrote: > > > I guess I already mentioned the two alternatives (runuser/setpriv). > > [...] > > > > Maybe setpriv is equivalent to s6-setuidgid. > > If this is the case, it can be used as an alternative to s6-setuidgid. > [...] > Running `setpriv --reuid NAME --init-groups PROGRAM ARGS` appears to be > equivalent to `s6-setuidgid NAME PROGRAM ARGS`. OK, thanks for the explanation. I'll try to find some time to experiment and apply this change to apt-listbugs. Since buster is already in soft freeze, the modification will probably have to be meant for buster+1 ... [...] > > I would like some insight especially on [message #30], regarding the > > fact that runuser does something basically equivalent to what su does, > > and thus seems to be unfit to irreversibly drop root privileges > > The major difference between {setpriv,s6-setuidgid} and runuser is that > runuser, like su, sets up a new PAM session and re-initializes some > standard environment variables. > > Also like su, if run with -l, it also tries to behave like a login shell > (clears more environment variables, changes to the target user's home > directory, etc.) and runs a different PAM stack (which registers with > systemd-logind, if installed, as a new login session). > > However, runuser is not setuid (unlike su), so it cannot increase > privileges, only drop them. The only thing it *can* do is to drop root > privileges; so if you consider it to be unfit to do that for some reason, > it would have no purpose at all. As far as I understand it (after reading the [web page] cited in the commit where I introduce the s6 recommendation into apt-listbugs), the problem with su and similar programs is not that they cannot drop root privileges, but that they cannot do so irreversibly. [web page]: <https://jdebp.eu/FGA/dont-abuse-su-for-dropping-privileges.html> However, this is not especially important now, since we are talking about replacing s6-setuidgid with setpriv... [...] > > and > > regarding my search for a command that works like s6-setuidgid, but > > runs the given command inside the user's login shell (with all the > > environment that the user would get on a normal login). > > As stated, this isn't really well-defined. Whether and how this is > possible depends what you mean by "a normal login". The execution > environment the user would get from login(1) as invoked by getty(8), > from a display manager like xdm, and from sshd are all different (they > invoke different PAM stacks); and that's before you've even entered > any shells. [...] Wow, thanks a lot for the very long and detailed explanations! They were an interesting read that clarified some points. -- http://www.inventati.org/frx/ There's not a second to spare! To the laboratory! ..................................................... Francesco Poli . GnuPG key fpr == CA01 1147 9CD2 EFDF FB82 3925 3E1C 27E1 1F69 BFFE
pgpkexsv1GzgQ.pgp
Description: PGP signature