Re: The su manual doesn't mention use root account by default
On 13/06/2019 20:56, Misc User wrote: > On 6/13/2019 9:42 AM, Adam Thompson wrote: >> On 2019-06-12 03:55, Ingo Schwarze wrote: >> During initial system installation & deployment, before doas is >> configured, and assuming you haven't [yet] added your SSH keys to >> ~root/.ssh/allowed_keys, it's quite impossible to avoid using su. >> (AFAIK. If there's another way, let me know!) > > siteXX.tgz > > https://www.openbsd.org/faq/faq4.html#site This is a neat solution. Another could be to use single user mode as per https://www.openbsd.org/faq/faq8.html#LostPW . This is pretty low level and whether or not it is sufficient depends on what sort of extra configuration needs doing. Andrew -- OpenPGP key: EB28 0338 28B7 19DA DAB0 B193 D21D 996E 883B E5B9
Re: The su manual doesn't mention use root account by default
On 6/13/2019 9:42 AM, Adam Thompson wrote: On 2019-06-12 03:55, Ingo Schwarze wrote: During initial system installation & deployment, before doas is configured, and assuming you haven't [yet] added your SSH keys to ~root/.ssh/allowed_keys, it's quite impossible to avoid using su. (AFAIK. If there's another way, let me know!) siteXX.tgz https://www.openbsd.org/faq/faq4.html#site
Re: The su manual doesn't mention use root account by default
Well, I often need a root shell. Usually I login as a user in group wheel, but not operator! The perils of group operator were explained in a previous thread. I don't use that group anymore. As I understand, nothing like a web browser, etc. should ever be used by root. So I don't. I have been using doas su -l to get a root shell, while using those other programs as the original user. I never use ssh from the root shell. Am I doing something unsafe here? Should I NOT open the root shell and only execute each command with doas? That's easy to do also. A third choice is actually to login as root directly. Does having a root shell open continously, but only when using it, cause me to have a significant security risk? It's convienent, but not necessary. And there was that tty security problem that came up in another thread. I've been meaning to ask this question, seems like a good thread to ask it in. Things have changed significantly recently, so I feel a little unsure how things stand now. Thanks, Chris Bennett
Re: The su manual doesn't mention use root account by default
On 2019-06-12 03:55, Ingo Schwarze wrote: Even though su(1) can still be used today to relinquish privilege when you are already root, no more development is done on it and people rarely look at the manual page. The last time new functionality was added to the su(1) manual page was almost a decade ago, and the last time before that 17 years ago. Well, su(8) also is used to obtain root privileges in the first place. FWIW, I regularly use "su" on OpenBSD because it's a relatively consistent cross-platform way to have root run a command as someone else. I recall a good number of ports using su(8) internally in, e.g. process-control scripts - but that was years ago, not sure if it's still true or not. doas simply isn't available anywhere else (yet). (IMHO, I don't think a portable version of doas has a lot of potential - it's not complicated enough! ) During initial system installation & deployment, before doas is configured, and assuming you haven't [yet] added your SSH keys to ~root/.ssh/allowed_keys, it's quite impossible to avoid using su. (AFAIK. If there's another way, let me know!) I hope you're just saying that su(8) is a mature, stable utility that needs no further work right now. It kind of sounds like you might be saying that su(8) could be on the chopping block, much like sudo(8)... have I misread that? -Adam
Re: The su manual doesn't mention use root account by default
Hi, Christian Weisgerber wrote on Thu, Jun 13, 2019 at 11:13:11AM -: > On 2019-06-13, "Theo de Raadt" wrote: >> Somebody wrote: >>> I always considered that su is coming from _s_uper _u_ser. But maybe I >>> am wrong, I am not from old UNIX days. >> incorrect. >> >> NAME >> su - substitute user identity > Well, that's V7, which appears to have engaged in a bit of revisionism > together with the then newly expanded functionality. > > Earlier in V6 it was "su - become privileged user" and "Su allows > one to become the super-user, who has all sorts of marvelous (and > correspondingly dangerous) powers". > > http://man.cat-v.org/unix-6th/8/su Actually, that text (without the parenthetic remark) goes back all the way to v1 (Nov/3/71), To scare you a bit, the SYNOPSIS in v1 said: su password and the DESCRIPTION: In order for su to do its magic, the user must pass as an argument a password. There was a BUGS section, but it was explicitly empty. Those were more carefree times. The table of contents in v2 even said, under section I: su ... become super-user https://www.tuhs.org/Archive/Distributions/Research/Dennis_v1/man13.pdf https://www.tuhs.org/Archive/Distributions/Research/1972_stuff/unix_2nd_edition_manual.pdf I just committed a fix to the HISTORY section of the manual page. CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2019/06/13 06:59:51 Modified files: usr.bin/su : su.1 Log message: su(I) goes back all the way to v1: https://www.tuhs.org/Archive/Distributions/Research/Dennis_v1/man13.pdf It wasn't in v0 PDP-7 UNIX though: https://www.tuhs.org/Archive/Distributions/Research/McIlroy_v0/UnixEditionZero.txt Index: su.1 === RCS file: /cvs/src/usr.bin/su/su.1,v retrieving revision 1.32 retrieving revision 1.33 diff -u -r1.32 -r1.33 --- su.112 Jun 2019 08:29:17 - 1.32 +++ su.113 Jun 2019 12:59:51 - 1.33 @@ -273,7 +273,7 @@ .Sh HISTORY A .Nm -command appeared in -.At v7 . +command first appeared in +.At v1 . .Sh BUGS The login name is not optional for root if there are shell arguments.
Re: The su manual doesn't mention use root account by default
On 2019-06-13, "Theo de Raadt" wrote: >> I always considered that su is coming from _s_uper _u_ser. But maybe I >> am wrong, I am not from old UNIX days. > > incorrect. > > NAME > su - substitute user identity Well, that's V7, which appears to have engaged in a bit of revisionism together with the then newly expanded functionality. Earlier in V6 it was "su - become privileged user" and "Su allows one to become the super-user, who has all sorts of marvelous (and correspondingly dangerous) powers". http://man.cat-v.org/unix-6th/8/su -- Christian "naddy" Weisgerber na...@mips.inka.de
Re: The su manual doesn't mention use root account by default
> Ingo seems to be rather good at those. My favorites are Nick Holland's answers. But let's not forget Stuart Henderson, Henning Brauer, Stefan Sperling, Marc Espie ... and Dr. House. The answers from the latter are hard to digest but always solid and in place. May be others too, my excuses for not mentioning them. And for killing the thread.
Re: The su manual doesn't mention use root account by default
Nan Xiao writes: > Hi Ingo, > > Thanks for your detailed explanation! Ingo seems to be rather good at those. The last trivial question I asked got an exposé on precisely how the ports and base development processes interact with one another. I propose a motion that every answer Igno makes to a question be turned into a FAQ item. Or, slightly more seriously, that response I got the other day on ports@ should be in a "how to do ports" document because wow, Ingo, you seem to have a knack for detailed (and *clear*) explanations and I don't think I thanked you for putting it all out there for me. Matthew
Re: The su manual doesn't mention use root account by default
On Thu, Jun 13, 2019 at 08:55:09AM +0100, Andrew Luke Nesbit wrote: > On 13/06/2019 07:17, Theo de Raadt wrote: > > Mihai Popescu wrote: > > > >>> ... if no account is provided, root is the default > >> > >> I always considered that su is coming from _s_uper _u_ser. But maybe I > >> am wrong, I am not from old UNIX days. > > > > incorrect. > > > > NAME > > su - substitute user identity > > > > I never noticed this before. It's my favorite bit of *nix trivia that > defies misguided assumptions since I learned that `/etc` is apparently > an initialism for "editible text configuration". > > Andrew Right... and the perfect match to commonly used "et caetera" is just pure coincidence. Lol.
Re: The su manual doesn't mention use root account by default
On 13/06/2019 07:17, Theo de Raadt wrote: > Mihai Popescu wrote: > >>> ... if no account is provided, root is the default >> >> I always considered that su is coming from _s_uper _u_ser. But maybe I >> am wrong, I am not from old UNIX days. > > incorrect. > > NAME > su - substitute user identity > I never noticed this before. It's my favorite bit of *nix trivia that defies misguided assumptions since I learned that `/etc` is apparently an initialism for "editible text configuration". Andrew -- OpenPGP key: EB28 0338 28B7 19DA DAB0 B193 D21D 996E 883B E5B9
Re: The su manual doesn't mention use root account by default
Hi Ingo, Thanks for your detailed explanation! Best Regards Nan Xiao On Wed, Jun 12, 2019 at 4:55 PM Ingo Schwarze wrote: > > Hello Nan Xiao, > > Nan Xiao wrote on Wed, Jun 12, 2019 at 02:19:08PM +0800: > > > I read su manual (https://man.openbsd.org/su.1), but can't find words > > which said if no account is provided, root is the default. > > The BUGS section says so indirectly, but i agree that is not sufficient. > A manual page ought to explain the behaviour of a utility explicitly > and in the DESCRIPTION section. All the more so for aspects as important > as the one you are talking about. > > > But for > > doas(https://man.openbsd.org/doas.1), it has following words: > > > > -u userExecute the command as user. The default is root. > > > > I am not a nitpicker, just curious whether I miss something? Thanks! > > In OpenBSD, we do not regard it as nitpicking when people point out > bugs in manual pages. We regard bugs in manual pages just as much as > bugs as bugs in code. We insist that manual pages have to be correct, > complete, and concise. > > Consequently, your report is very much appreciated and i committed > the bugfix shown below. > > Thank you, > Ingo > > > P.S. > The reason this particular bug was able to survive for so long appears > to be that su(1) has been obsolete as a tool for getting a root shell > for a very long time. For that purpose, it is less secure than sudo(1) > used to be, and even sudo(1) was swapped out of OpenBSD because > something simpler like doas(1) is even more secure unless you really > need the additional functionality. And even then, if possible, > getting your task done in a simpler way that doas(1) can handle may > provide a security benefit. > > Even though su(1) can still be used today to relinquish privilege > when you are already root, no more development is done on it and people > rarely look at the manual page. The last time new functionality was > added to the su(1) manual page was almost a decade ago, and the > last time before that 17 years ago. > > Even though UNIX manual pages were always high quality documentation, > two decades ago, they weren't fully up to modern OpenBSD quality > standards yet. > > > CVSROOT:/cvs > Module name:src > Changes by: schwa...@cvs.openbsd.org2019/06/12 02:29:17 > > Modified files: > usr.bin/su : su.1 > > Log message: > when "login" is not specified, "root" is used; > omission reported by Nan Xiao on misc@ > > > Index: su.1 > === > RCS file: /cvs/src/usr.bin/su/su.1,v > retrieving revision 1.31 > retrieving revision 1.32 > diff -u -r1.31 -r1.32 > --- su.130 Jul 2015 08:03:49 - 1.31 > +++ su.112 Jun 2019 08:29:17 - 1.32 > @@ -49,6 +49,11 @@ > .Nm > utility allows a user to run a shell with the user and group ID of another > user > without having to log out and in as that other user. > +If the target > +.Ar login > +name is not specified, > +.Dq root > +is used. > .Pp > By default, the environment is unmodified with the exception of > .Ev LOGNAME ,
Re: The su manual doesn't mention use root account by default
Mihai Popescu wrote: > > ... if no account is provided, root is the default > > I always considered that su is coming from _s_uper _u_ser. But maybe I > am wrong, I am not from old UNIX days. incorrect. NAME su - substitute user identity
Re: The su manual doesn't mention use root account by default
> ... if no account is provided, root is the default I always considered that su is coming from _s_uper _u_ser. But maybe I am wrong, I am not from old UNIX days.
Re: The su manual doesn't mention use root account by default
Hello Nan Xiao, Nan Xiao wrote on Wed, Jun 12, 2019 at 02:19:08PM +0800: > I read su manual (https://man.openbsd.org/su.1), but can't find words > which said if no account is provided, root is the default. The BUGS section says so indirectly, but i agree that is not sufficient. A manual page ought to explain the behaviour of a utility explicitly and in the DESCRIPTION section. All the more so for aspects as important as the one you are talking about. > But for > doas(https://man.openbsd.org/doas.1), it has following words: > > -u userExecute the command as user. The default is root. > > I am not a nitpicker, just curious whether I miss something? Thanks! In OpenBSD, we do not regard it as nitpicking when people point out bugs in manual pages. We regard bugs in manual pages just as much as bugs as bugs in code. We insist that manual pages have to be correct, complete, and concise. Consequently, your report is very much appreciated and i committed the bugfix shown below. Thank you, Ingo P.S. The reason this particular bug was able to survive for so long appears to be that su(1) has been obsolete as a tool for getting a root shell for a very long time. For that purpose, it is less secure than sudo(1) used to be, and even sudo(1) was swapped out of OpenBSD because something simpler like doas(1) is even more secure unless you really need the additional functionality. And even then, if possible, getting your task done in a simpler way that doas(1) can handle may provide a security benefit. Even though su(1) can still be used today to relinquish privilege when you are already root, no more development is done on it and people rarely look at the manual page. The last time new functionality was added to the su(1) manual page was almost a decade ago, and the last time before that 17 years ago. Even though UNIX manual pages were always high quality documentation, two decades ago, they weren't fully up to modern OpenBSD quality standards yet. CVSROOT:/cvs Module name:src Changes by: schwa...@cvs.openbsd.org2019/06/12 02:29:17 Modified files: usr.bin/su : su.1 Log message: when "login" is not specified, "root" is used; omission reported by Nan Xiao on misc@ Index: su.1 === RCS file: /cvs/src/usr.bin/su/su.1,v retrieving revision 1.31 retrieving revision 1.32 diff -u -r1.31 -r1.32 --- su.130 Jul 2015 08:03:49 - 1.31 +++ su.112 Jun 2019 08:29:17 - 1.32 @@ -49,6 +49,11 @@ .Nm utility allows a user to run a shell with the user and group ID of another user without having to log out and in as that other user. +If the target +.Ar login +name is not specified, +.Dq root +is used. .Pp By default, the environment is unmodified with the exception of .Ev LOGNAME ,