Hi Bernd,
On 13.05.2014 16:13, Bernd Wachter wrote: > Mehdi El Gueddari <me...@tickmeet.com> writes: > >> I'm been googling long and hard but haven't been able to find much >> information about the 'devel-su' command, beyond the fact that it's the >> command to use on Sailfish to switch to the root user. I also couldn't find >> the source code for it anywhere. > I'm the author, and the source is (currently) not open. It is on the > list of stuff I'd like to see opened up when I have time for that, > though. It's one of those small utilities you can easily write during > your lunch break, if you have a basic understanding of UNIX concepts. It has been over 3 years since this post was written. Has anything moved forward with respect to open sourcing this utility? > >> If there is someone with more insider knowledge here, I'd love to hear >> about where this command came from and how it differs from 'su'. >> >> The first mentions of 'devel-su' I've been able to find were from 2011 in >> relation to MeeGo. I couldn't find any information about why this command >> was created for MeeGo though. It may have been related to MeeGo's security >> platform Aegis (part of the Mobile Simplified Security Framework it seems) >> but there's precious little information about Aegis or MSSF out there. >> >> Back in the Meego days, 'devel-su' would let you switch to, quite >> literally, a developer super user account, which had more privileges than a >> normal user but wasn't quite root (or at least it seems that way from the >> few user complaints I could find). > This devel-su did indeed have ties to aegis, and it let you do > everything not explicitely prevented by aegis settings. Aegis blocked > several useful things, which caused the annoyance. > > The Sailfish devel-su only shares the name -- it was chosen to have it > easily discoverable for developers coming from MeeGo/Harmattan, but was > written from scratch. It's available as su-devel as well to make it > better discoverable for people without MeeGo background. > >> Sailfish is very different however. There's no Aegis there. The 'devel-su' >> command lets you switch to the real root user and gives you full root >> access to your device. In fact, once you're root, you can just reset the >> root user password (which appears to not be set or be set to a random value >> by default) and then just use the 'su' command normally instead of >> 'devel-su' ( >> https://together.jolla.com/question/30565/howto-using-su-instead-of-devel-su/ >> ). >> >> So why 'devel-su' then? >> >> AFAICS, one difference between 'su' and 'devel-su' is that 'devel-su' >> checks the password set in the device's Developer Mode settings instead of >> using the normal root password. So you can disable root login via >> 'devel-su' or change the 'devel-su' password there. > To be more precise, the settings page sets the password for the nemo user, > and devel-su authenticates using the users password, instead of the root > password, as used by su. Reason for that setup is just to be as paranoid > as possible when it comes to access of your device, which includes a > disabled root user. You're free to do whatever you want with your > device, though. > > The other question which might come up would be "why not sudo": Back > when we were building the phone sudo did not work very well with > systemd. Additionally it's pretty complex, easy to break, and had its > share of exploits. devel-su is about 150 lines, including boilerplate, > so quite easy to audit. > Bernd > > _______________________________________________ > SailfishOS.org Devel mailing list > To unsubscribe, please send a mail to devel-unsubscr...@lists.sailfishos.org Regards, Marcin _______________________________________________ SailfishOS.org Devel mailing list To unsubscribe, please send a mail to devel-unsubscr...@lists.sailfishos.org
