Hello, I noticed that my locate.database wasn't being updated:
Rebuilding locate database: Abort trap Not installing locate database; zero size >From the following: echo "${UPDATEDB} --fcodes=- --tmpdir=${TMPDIR:-/tmp}" | \ nice -5 su -m nobody 2>/dev/null 1>$TMP As it turns out, it is because I have an approve entry in /etc/login.conf and this requires the ability to fork the approval program. When su tries to run approve it fails and I find the following in dmesg: su(77960): syscall 2 "proc" ktrace also shows that pledge shut it down. So is the following patch correct? I don't see any downsides, but perhaps there reasons for why auth_approval happens last? Index: su.c =================================================================== RCS file: /home/cvs/src/usr.bin/su/su.c,v retrieving revision 1.70 diff -u -p -r1.70 su.c --- su.c 30 Oct 2015 19:45:03 -0000 1.70 +++ su.c 8 Jan 2017 04:07:14 -0000 @@ -215,6 +215,9 @@ main(int argc, char **argv) fprintf(stderr, "Login incorrect\n"); } + if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0) + auth_err(as, 1, "approval failure"); + if (pledge("stdio rpath getpw exec id", NULL) == -1) err(1, "pledge"); @@ -332,9 +335,6 @@ main(int argc, char **argv) if (pledge("stdio rpath exec", NULL) == -1) err(1, "pledge"); - - if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0) - auth_err(as, 1, "approval failure"); auth_close(as); execv(shell, np); Thanks, Andy -- TAI64 timestamp: 400000005871bcbe