Re: issue with login.conf(5) rtable and su -l user
On Sun, 13 Mar 2022 12:02:03 -0500, Matthew Martin wrote: > Ignoring -L which already honors rtable, su has three cases: > -l (asme=0 asthem=1) > -m (asme=1 asthem=0) >(asme=0 asthem=0) > > -l should honor rtable; I am not sure about the other two. I think the > least suprising would be for the neither case to honor rtable and for -m > to not, but I don't have a strong opinion here. Patch as suggested below. Yes, I agree, su(1) should honor the rtable for all but -m. - todd
Re: issue with login.conf(5) rtable and su -l user
On Sun, Mar 13, 2022 at 02:30:23PM +0100, Solene Rapenne wrote: > Hi, I'm playing with the new rtable feature in login.conf(5) but it > seems one use case doesn't trigger the rtable change. > > I have an user called alice, if I ssh locally from my user to alice > with ssh alice@localhost, alice has the correct routing table, if I use > as root "su -l alice", then alice seems using rtable 0. Ignoring -L which already honors rtable, su has three cases: -l (asme=0 asthem=1) -m (asme=1 asthem=0) (asme=0 asthem=0) -l should honor rtable; I am not sure about the other two. I think the least suprising would be for the neither case to honor rtable and for -m to not, but I don't have a strong opinion here. Patch as suggested below. > if it works, I'm using rtable 1 (openvpn), if not, it's using rtable 0. id -R will show the rtable directly. diff --git su.c su.c index f87e6690835..c2fbbe2724d 100644 --- su.c +++ su.c @@ -355,6 +355,8 @@ main(int argc, char **argv) flags &= ~LOGIN_SETLOGIN; } else { flags = LOGIN_SETRESOURCES|LOGIN_SETGROUP|LOGIN_SETUSER; + if (!asme) + flags |= LOGIN_SETRTABLE; if (asthem) flags |= LOGIN_SETENV|LOGIN_SETPRIORITY|LOGIN_SETUMASK; }
issue with login.conf(5) rtable and su -l user
Hi, I'm playing with the new rtable feature in login.conf(5) but it seems one use case doesn't trigger the rtable change. I have an user called alice, if I ssh locally from my user to alice with ssh alice@localhost, alice has the correct routing table, if I use as root "su -l alice", then alice seems using rtable 0. I have two rules in pf.conf to forbid alice to reach the internet, so when I want to try if it works, I simply run "dig openbsd.org @9.9.9.9", if it works, I'm using rtable 1 (openvpn), if not, it's using rtable 0. block return on rdomain 0 proto tcp user alice block return on rdomain 0 proto udp user alice I think my configuration is fine. file /etc/master.passwd: alice:*:1007:1007:alice:0:0:,,,:/home/alice:/bin/ksh file /etc/login.conf: alice:\ :rtable=1: