Hello,

I noticed that my locate.database wasn't being updated:

Rebuilding locate database:
Abort trap 
Not installing locate database; zero size

>From the following:

                echo "${UPDATEDB} --fcodes=- --tmpdir=${TMPDIR:-/tmp}" | \
                    nice -5 su -m nobody 2>/dev/null 1>$TMP

As  it   turns  out,  it  is   because  I  have  an   approve  entry  in
/etc/login.conf  and this  requires  the ability  to  fork the  approval
program. When su tries to run approve  it fails and I find the following
in dmesg:

su(77960): syscall 2 "proc"

ktrace also  shows that pledge shut  it down. So is  the following patch
correct? I  don't see any downsides,  but perhaps there reasons  for why
auth_approval happens last?

Index: su.c
===================================================================
RCS file: /home/cvs/src/usr.bin/su/su.c,v
retrieving revision 1.70
diff -u -p -r1.70 su.c
--- su.c        30 Oct 2015 19:45:03 -0000      1.70
+++ su.c        8 Jan 2017 04:07:14 -0000
@@ -215,6 +215,9 @@ main(int argc, char **argv)
                fprintf(stderr, "Login incorrect\n");
        }
 
+       if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0)
+               auth_err(as, 1, "approval failure");
+
        if (pledge("stdio rpath getpw exec id", NULL) == -1)
                err(1, "pledge");
 
@@ -332,9 +335,6 @@ main(int argc, char **argv)
 
        if (pledge("stdio rpath exec", NULL) == -1)
                err(1, "pledge");
-
-       if (pwd->pw_uid && auth_approval(as, lc, pwd->pw_name, "su") <= 0)
-               auth_err(as, 1, "approval failure");
        auth_close(as);
 
        execv(shell, np);


Thanks,

Andy
-- 
TAI64 timestamp: 400000005871bcbe


Reply via email to