Re: Move auth_approval in su.c before fork is lost due to pledge?

2017-01-13 Thread Todd C. Miller
One change with this diff is that the approval script will run as
the invoking user, not the target user.  I'm not sure that really
makes a difference though.

 - todd



Re: Move auth_approval in su.c before fork is lost due to pledge?

2017-01-13 Thread Todd C. Miller
On 07 Jan 2017 21:14:17 -0700, "Andy Bradford" wrote:

> As  it   turns  out,  it  is   because  I  have  an   approve  entry  in
> /etc/login.conf  and this  requires  the ability  to  fork the  approval
> program. When su tries to run approve  it fails and I find the following
> in dmesg:
> 
> su(77960): syscall 2 "proc"
> 
> ktrace also  shows that pledge shut  it down. So is  the following patch
> correct? I  don't see any downsides,  but perhaps there reasons  for why
> auth_approval happens last?

This looks fine to me.  Since the approval script can do just about
anything it doesn't make sense to try to pledge it.

 - todd



Move auth_approval in su.c before fork is lost due to pledge?

2017-01-07 Thread Andy Bradford
Hello,

I noticed that my locate.database wasn't being updated:

Rebuilding locate database:
Abort trap 
Not installing locate database; zero size

>From the following:

echo "${UPDATEDB} --fcodes=- --tmpdir=${TMPDIR:-/tmp}" | \
nice -5 su -m nobody 2>/dev/null 1>$TMP

As  it   turns  out,  it  is   because  I  have  an   approve  entry  in
/etc/login.conf  and this  requires  the ability  to  fork the  approval
program. When su tries to run approve  it fails and I find the following
in dmesg:

su(77960): syscall 2 "proc"

ktrace also  shows that pledge shut  it down. So is  the following patch
correct? I  don't see any downsides,  but perhaps there reasons  for why
auth_approval happens last?

Index: su.c
===
RCS file: /home/cvs/src/usr.bin/su/su.c,v
retrieving revision 1.70
diff -u -p -r1.70 su.c
--- su.c30 Oct 2015 19:45:03 -  1.70
+++ su.c8 Jan 2017 04:07:14 -
@@ -215,6 +215,9 @@ main(int argc, char **argv)
fprintf(stderr, "Login incorrect\n");
}
 
+   if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0)
+   auth_err(as, 1, "approval failure");
+
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
 
@@ -332,9 +335,6 @@ main(int argc, char **argv)
 
if (pledge("stdio rpath exec", NULL) == -1)
err(1, "pledge");
-
-   if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0)
-   auth_err(as, 1, "approval failure");
auth_close(as);
 
execv(shell, np);


Thanks,

Andy
-- 
TAI64 timestamp: 40005871bcbe