Hello,
I noticed that my locate.database wasn't being updated:
Rebuilding locate database:
Abort trap
Not installing locate database; zero size
>From the following:
echo "${UPDATEDB} --fcodes=- --tmpdir=${TMPDIR:-/tmp}" | \
nice -5 su -m nobody 2>/dev/null 1>$TMP
As it turns out, it is because I have an approve entry in
/etc/login.conf and this requires the ability to fork the approval
program. When su tries to run approve it fails and I find the following
in dmesg:
su(77960): syscall 2 "proc"
ktrace also shows that pledge shut it down. So is the following patch
correct? I don't see any downsides, but perhaps there reasons for why
auth_approval happens last?
Index: su.c
===================================================================
RCS file: /home/cvs/src/usr.bin/su/su.c,v
retrieving revision 1.70
diff -u -p -r1.70 su.c
--- su.c 30 Oct 2015 19:45:03 -0000 1.70
+++ su.c 8 Jan 2017 04:07:14 -0000
@@ -215,6 +215,9 @@ main(int argc, char **argv)
fprintf(stderr, "Login incorrect\n");
}
+ if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0)
+ auth_err(as, 1, "approval failure");
+
if (pledge("stdio rpath getpw exec id", NULL) == -1)
err(1, "pledge");
@@ -332,9 +335,6 @@ main(int argc, char **argv)
if (pledge("stdio rpath exec", NULL) == -1)
err(1, "pledge");
-
- if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0)
- auth_err(as, 1, "approval failure");
auth_close(as);
execv(shell, np);
Thanks,
Andy
--
TAI64 timestamp: 400000005871bcbe
