Re: How to add su to /rescue ?
Guy Helmer wrote: > > On Jul 9, 2018, at 6:54 AM, Julian H. Stacey wrote: > > Hi current@ > > I want to add su to /rescue, but got stuck on pam. > > Old unix su didn't suffer from pam. > > There's no #define in su to turn off pam. > > Man src.conf says WITHOUT_PAM is deprecated & does nothing. > > > > Can someone please offer a solution ? > > Or better to include a simple BSD su pre pam ? > > I would happily develop a patch for that. > Hi, > Aside from not being able to use pam from a static executable, please donât > try to make the crunched hard-linked executable in /rescue setuid-root (su is > useless without it). That would mean anyone running /rescue/sh gets a root > shell :-) Thanks Guy ! Yes all SUID 0 would be very wrong. > Conceptually, a separate crunchgen binary could be made for setuid-root > purposes, but having a setuid-root binary in /rescue (outside of the normal > hierarchy) makes me nervous. In case other suid things are also needed later, I created a local src/rescue/suid/ with an old su.c pre PAM, Thanks to Diane Bruce, & a diff & Makefile to drive it. http://berklix.com/~jhs/src/bsd/fixes/freebsd/src/gen/rescue/ It works, but improvements welcome. Cheers, Julian -- Julian Stacey, Computer Consultant, Systems Engineer, BSD Linux Unix, Munich Brexit Referendum stole 3.7 million votes inc. 700,000 from British in EU. UK Goverment lies it's democratic in Article 50 paragraph 3 of letter to EU. http://exitbrexit.uk ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
Re: How to add su to /rescue ?
> On Jul 9, 2018, at 6:54 AM, Julian H. Stacey wrote: > > Hi current@ > I want to add su to /rescue, but got stuck on pam. > Old unix su didn't suffer from pam. > There's no #define in su to turn off pam. > Man src.conf says WITHOUT_PAM is deprecated & does nothing. > > Can someone please offer a solution ? > Or better to include a simple BSD su pre pam ? > I would happily develop a patch for that. Hi, Aside from not being able to use pam from a static executable, please don’t try to make the crunched hard-linked executable in /rescue setuid-root (su is useless without it). That would mean anyone running /rescue/sh gets a root shell :-) Conceptually, a separate crunchgen binary could be made for setuid-root purposes, but having a setuid-root binary in /rescue (outside of the normal hierarchy) makes me nervous. Regards, Guy > > Notes to explain the need, & patches from my > http://berklix.com/~jhs/src/bsd/fixes/freebsd/src/gen/rescue/ > - > > Patch[es] below to solve this emailed scenario: >> Please on prison-host cp /lib/libc.so.7 /tank/ezjail/my-domain/lib/libc.so.7 >> I am logged in on jail-host, but only as normal-user, not root, so I cannot >> run >> /rescue/cp /usr/obj/usr/src/lib/libc/libc.so.7 /lib/libc.so.7 >> >> a my make installworld on jail-host.my-domain previously failed with >> ===> lib/libc (install) >> install -C -o root -g wheel -m 444 libc.a /usr/lib >> install -C -o root -g wheel -m 444 libc_p.a /usr/lib >> install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib >> install: /lib/libc.so.7: chflags: Operation not permitted >> *** Error code 71 >> (might or not be an artifact of being in a jail) >> >> unfortunately I had run the command as >> xs make installworld >> (xs is my own little root wrapper) >> so when it exited, I was just normal-user not root, & I had forgotten to >> open another xterm & leave it logged in as root, >> & I found no /rescue/su > ___ freebsd-current@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-current To unsubscribe, send any mail to "freebsd-current-unsubscr...@freebsd.org"
