Re: issue with login.conf(5) rtable and su -l user
On Sun, 13 Mar 2022 12:02:03 -0500, Matthew Martin wrote: > Ignoring -L which already honors rtable, su has three cases: > -l (asme=0 asthem=1) > -m (asme=1 asthem=0) >(asme=0 asthem=0) > > -l should honor rtable; I am not sure about the other two. I think the > least suprising would be for the neither case to honor rtable and for -m > to not, but I don't have a strong opinion here. Patch as suggested below. Yes, I agree, su(1) should honor the rtable for all but -m. - todd
Re: issue with login.conf(5) rtable and su -l user
On Sun, Mar 13, 2022 at 02:30:23PM +0100, Solene Rapenne wrote:
> Hi, I'm playing with the new rtable feature in login.conf(5) but it
> seems one use case doesn't trigger the rtable change.
>
> I have an user called alice, if I ssh locally from my user to alice
> with ssh alice@localhost, alice has the correct routing table, if I use
> as root "su -l alice", then alice seems using rtable 0.
Ignoring -L which already honors rtable, su has three cases:
-l (asme=0 asthem=1)
-m (asme=1 asthem=0)
(asme=0 asthem=0)
-l should honor rtable; I am not sure about the other two. I think the
least suprising would be for the neither case to honor rtable and for -m
to not, but I don't have a strong opinion here. Patch as suggested below.
> if it works, I'm using rtable 1 (openvpn), if not, it's using rtable 0.
id -R will show the rtable directly.
diff --git su.c su.c
index f87e6690835..c2fbbe2724d 100644
--- su.c
+++ su.c
@@ -355,6 +355,8 @@ main(int argc, char **argv)
flags &= ~LOGIN_SETLOGIN;
} else {
flags = LOGIN_SETRESOURCES|LOGIN_SETGROUP|LOGIN_SETUSER;
+ if (!asme)
+ flags |= LOGIN_SETRTABLE;
if (asthem)
flags |= LOGIN_SETENV|LOGIN_SETPRIORITY|LOGIN_SETUMASK;
}
issue with login.conf(5) rtable and su -l user
Hi, I'm playing with the new rtable feature in login.conf(5) but it seems one use case doesn't trigger the rtable change. I have an user called alice, if I ssh locally from my user to alice with ssh alice@localhost, alice has the correct routing table, if I use as root "su -l alice", then alice seems using rtable 0. I have two rules in pf.conf to forbid alice to reach the internet, so when I want to try if it works, I simply run "dig openbsd.org @9.9.9.9", if it works, I'm using rtable 1 (openvpn), if not, it's using rtable 0. block return on rdomain 0 proto tcp user alice block return on rdomain 0 proto udp user alice I think my configuration is fine. file /etc/master.passwd: alice:*:1007:1007:alice:0:0:,,,:/home/alice:/bin/ksh file /etc/login.conf: alice:\ :rtable=1:
