GNU bug report logs - #7572
[PATCH] PAM support for su

Previous Next

Package: coreutils;

Reported by: Ludwig Nussel <ludwig.nussel <at> suse.de>

Date: Mon, 6 Dec 2010 12:39:01 UTC

Severity: normal

Tags: patch

Done: Ludwig Nussel <ludwig.nussel <at> suse.de>

Bug is archived. No further changes may be made.

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 7572 in the body.
You can then email your comments to 7572 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Mon, 06 Dec 2010 12:39:01 GMT) Full text and rfc822 format available.

Acknowledgement sent to Ludwig Nussel <ludwig.nussel <at> suse.de>:
New bug report received and forwarded. Copy sent to bug-coreutils <at> gnu.org. (Mon, 06 Dec 2010 12:39:01 GMT) Full text and rfc822 format available.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Ludwig Nussel <ludwig.nussel <at> suse.de>
To: bug-coreutils <at> gnu.org
Cc: Ludwig Nussel <ludwig.nussel <at> suse.de>
Subject: [PATCH] PAM support for su
Date: Mon,  6 Dec 2010 13:40:58 +0100
Distributions that use su from coreutils need PAM support. This
patch is a merged version of the patches that are in at least SUSE
and RedHat distributions since years. I don't know if anyone ever
tried to submit the patch upstream though. So here it is :-)

---
 configure.ac    |   14 +++
 src/Makefile.am |    4 +-
 src/su.c        |  266 ++++++++++++++++++++++++++++++++++++++++++++++++++++++-
 3 files changed, 278 insertions(+), 6 deletions(-)

diff --git a/configure.ac b/configure.ac
index 7101847..ee3c0e7 100644
--- a/configure.ac
+++ b/configure.ac
@@ -134,6 +134,20 @@ fi
 
 AC_FUNC_FORK
 
+AC_ARG_ENABLE(pam, AS_HELP_STRING([--disable-pam],
+	[Enable PAM support in su (default=auto)]), , [enable_pam=yes])
+if test "x$enable_pam" != xno; then
+  AC_CHECK_LIB([pam], [pam_start], [enable_pam=yes], [enable_pam=no])
+  AC_CHECK_LIB([pam_misc], [misc_conv], [:], [enable_pam=no])
+  if test "x$enable_pam" != xno; then
+    AC_DEFINE(USE_PAM, 1, [Define if you want to use PAM])
+    PAM_LIBS="-lpam -lpam_misc"
+    AC_SUBST(PAM_LIBS)
+  fi
+fi
+AC_MSG_CHECKING([whether to enable PAM support in su])
+AC_MSG_RESULT([$enable_pam])
+
 optional_bin_progs=
 AC_CHECK_FUNCS([chroot],
         gl_ADD_PROG([optional_bin_progs], [chroot]))
diff --git a/src/Makefile.am b/src/Makefile.am
index 00c7ff7..bc27274 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -351,8 +351,8 @@ factor_LDADD += $(LIB_GMP)
 # for getloadavg
 uptime_LDADD += $(GETLOADAVG_LIBS)
 
-# for crypt
-su_LDADD += $(LIB_CRYPT)
+# for crypt and pam
+su_LDADD += $(LIB_CRYPT) $(PAM_LIBS)
 
 # for various ACL functions
 copy_LDADD += $(LIB_ACL)
diff --git a/src/su.c b/src/su.c
index f8f5b61..1d3d007 100644
--- a/src/su.c
+++ b/src/su.c
@@ -37,6 +37,16 @@
    restricts who can su to UID 0 accounts.  RMS considers that to
    be fascist.
 
+#ifdef USE_PAM
+
+   Actually, with PAM, su has nothing to do with whether or not a
+   wheel group is enforced by su.  RMS tries to restrict your access
+   to a su which implements the wheel group, but PAM considers that
+   to be fascist, and gives the user/sysadmin the opportunity to
+   enforce a wheel group by proper editing of /etc/pam.d/su
+
+#endif
+
    Compile-time options:
    -DSYSLOG_SUCCESS	Log successful su's (by default, to root) with syslog.
    -DSYSLOG_FAILURE	Log failed su's (by default, to root) with syslog.
@@ -52,6 +62,13 @@
 #include <sys/types.h>
 #include <pwd.h>
 #include <grp.h>
+#ifdef USE_PAM
+#include <security/pam_appl.h>
+#include <security/pam_misc.h>
+#include <signal.h>
+#include <sys/wait.h>
+#include <sys/fsuid.h>
+#endif
 
 #include "system.h"
 #include "getpass.h"
@@ -111,7 +128,9 @@
 /* The user to become if none is specified.  */
 #define DEFAULT_USER "root"
 
+#ifndef USE_PAM
 char *crypt (char const *key, char const *salt);
+#endif
 
 static void run_shell (char const *, char const *, char **, size_t)
      ATTRIBUTE_NORETURN;
@@ -125,6 +144,11 @@ static bool simulate_login;
 /* If true, change some environment vars to indicate the user su'd to.  */
 static bool change_environment;
 
+#ifdef USE_PAM
+static bool _pam_session_opened;
+static bool _pam_cred_established;
+#endif
+
 static struct option const longopts[] =
 {
   {"command", required_argument, NULL, 'c'},
@@ -200,7 +224,164 @@ log_su (struct passwd const *pw, bool successful)
 }
 #endif
 
+#ifdef USE_PAM
+#define PAM_SERVICE_NAME PROGRAM_NAME
+#define PAM_SERVICE_NAME_L PROGRAM_NAME "-l"
+static sig_atomic_t volatile caught_signal = false;
+static pam_handle_t *pamh = NULL;
+static int retval;
+static struct pam_conv conv =
+{
+  misc_conv,
+  NULL
+};
+
+#define PAM_BAIL_P(a) \
+  if (retval) \
+    { \
+      pam_end (pamh, retval); \
+      a; \
+    }
+
+static void
+cleanup_pam (int retcode)
+{
+  if (_pam_session_opened)
+    pam_close_session (pamh, 0);
+
+  if (_pam_cred_established)
+    pam_setcred (pamh, PAM_DELETE_CRED | PAM_SILENT);
+
+  pam_end(pamh, retcode);
+}
+
+/* Signal handler for parent process.  */
+static void
+su_catch_sig (int sig)
+{
+  caught_signal = true;
+}
+
+/* Export env variables declared by PAM modules.  */
+static void
+export_pamenv (void)
+{
+  char **env;
+
+  /* This is a copy but don't care to free as we exec later anyways.  */
+  env = pam_getenvlist (pamh);
+  while (env && *env)
+    {
+      if (putenv (*env) != 0)
+	xalloc_die ();
+      env++;
+    }
+}
+
+static void
+create_watching_parent (void)
+{
+  pid_t child;
+  sigset_t ourset;
+  int status = 0;
+
+  retval = pam_open_session (pamh, 0);
+  if (retval != PAM_SUCCESS)
+    {
+      cleanup_pam (retval);
+      error (EXIT_FAILURE, 0, _("cannot not open session: %s"),
+	     pam_strerror (pamh, retval));
+    }
+  else
+    _pam_session_opened = 1;
+
+  child = fork ();
+  if (child == (pid_t) -1)
+    {
+      cleanup_pam (PAM_ABORT);
+      error (EXIT_FAILURE, errno, _("cannot create child process"));
+    }
+
+  /* the child proceeds to run the shell */
+  if (child == 0)
+    return;
+
+  /* In the parent watch the child.  */
+
+  /* su without pam support does not have a helper that keeps
+     sitting on any directory so let's go to /.  */
+  if (chdir ("/") != 0)
+    error (0, errno, _("warning: cannot change directory to %s"), "/");
+
+  sigfillset (&ourset);
+  if (sigprocmask (SIG_BLOCK, &ourset, NULL))
+    {
+      error (0, errno, _("cannot block signals"));
+      caught_signal = true;
+    }
+  if (!caught_signal)
+    {
+      struct sigaction action;
+      action.sa_handler = su_catch_sig;
+      sigemptyset (&action.sa_mask);
+      action.sa_flags = 0;
+      sigemptyset (&ourset);
+      if (sigaddset (&ourset, SIGTERM)
+	  || sigaddset (&ourset, SIGALRM)
+	  || sigaction (SIGTERM, &action, NULL)
+	  || sigprocmask (SIG_UNBLOCK, &ourset, NULL))
+	{
+	  error (0, errno, _("cannot set signal handler"));
+	  caught_signal = true;
+	}
+    }
+  if (!caught_signal)
+    {
+      pid_t pid;
+      for (;;)
+	{
+	  pid = waitpid (child, &status, WUNTRACED);
+
+	  if (pid != (pid_t)-1 && WIFSTOPPED (status))
+	    {
+	      kill (getpid (), SIGSTOP);
+	      /* once we get here, we must have resumed */
+	      kill (pid, SIGCONT);
+	    }
+	  else
+	    break;
+	}
+      if (pid != (pid_t)-1)
+	if (WIFSIGNALED (status))
+	  status = WTERMSIG (status) + 128;
+	else
+	  status = WEXITSTATUS (status);
+      else
+	status = 1;
+    }
+  else
+    status = 1;
+
+  if (caught_signal)
+    {
+      fprintf (stderr, _("\nSession terminated, killing shell..."));
+      kill (child, SIGTERM);
+    }
+
+  cleanup_pam (PAM_SUCCESS);
+
+  if (caught_signal)
+    {
+      sleep (2);
+      kill (child, SIGKILL);
+      fprintf (stderr, _(" ...killed.\n"));
+    }
+  exit (status);
+}
+#endif
+
 /* Ask the user for a password.
+   If PAM is in use, let PAM ask for the password if necessary.
    Return true if the user gives the correct password for entry PW,
    false if not.  Return true without asking for a password if run by UID 0
    or if PW has an empty password.  */
@@ -208,10 +389,52 @@ log_su (struct passwd const *pw, bool successful)
 static bool
 correct_password (const struct passwd *pw)
 {
+#ifdef USE_PAM
+  const struct passwd *lpw;
+  const char *cp;
+
+  retval = pam_start (simulate_login ? PAM_SERVICE_NAME_L : PAM_SERVICE_NAME,
+		      pw->pw_name, &conv, &pamh);
+  PAM_BAIL_P (return false);
+
+  if (isatty (0) && (cp = ttyname (0)) != NULL)
+    {
+      const char *tty;
+
+      if (strncmp (cp, "/dev/", 5) == 0)
+	tty = cp + 5;
+      else
+	tty = cp;
+      retval = pam_set_item (pamh, PAM_TTY, tty);
+      PAM_BAIL_P (return false);
+    }
+#if 0 /* Manpage discourages use of getlogin.  */
+  cp = getlogin ();
+  if (!(cp && *cp && (lpw = getpwnam (cp)) != NULL && lpw->pw_uid == getuid ()))
+#endif
+  lpw = getpwuid (getuid ());
+  if (lpw && lpw->pw_name)
+    {
+      retval = pam_set_item (pamh, PAM_RUSER, (const void *) lpw->pw_name);
+      PAM_BAIL_P (return false);
+    }
+  retval = pam_authenticate (pamh, 0);
+  PAM_BAIL_P (return false);
+  retval = pam_acct_mgmt (pamh, 0);
+  if (retval == PAM_NEW_AUTHTOK_REQD)
+    {
+      /* Password has expired.  Offer option to change it.  */
+      retval = pam_chauthtok (pamh, PAM_CHANGE_EXPIRED_AUTHTOK);
+      PAM_BAIL_P (return false);
+    }
+  PAM_BAIL_P (return false);
+  /* Must be authenticated if this point was reached.  */
+  return true;
+#else /* !USE_PAM */
   char *unencrypted, *encrypted, *correct;
 #if HAVE_GETSPNAM && HAVE_STRUCT_SPWD_SP_PWDP
   /* Shadow passwd stuff for SVR3 and maybe other systems.  */
-  struct spwd *sp = getspnam (pw->pw_name);
+  const struct spwd *sp = getspnam (pw->pw_name);
 
   endspent ();
   if (sp)
@@ -232,6 +455,7 @@ correct_password (const struct passwd *pw)
   encrypted = crypt (unencrypted, correct);
   memset (unencrypted, 0, strlen (unencrypted));
   return STREQ (encrypted, correct);
+#endif /* !USE_PAM */
 }
 
 /* Update `environ' for the new shell based on PW, with SHELL being
@@ -274,19 +498,41 @@ modify_environment (const struct passwd *pw, const char *shell)
             }
         }
     }
+
+#ifdef USE_PAM
+  export_pamenv ();
+#endif
 }
 
 /* Become the user and group(s) specified by PW.  */
 
 static void
-change_identity (const struct passwd *pw)
+init_groups (const struct passwd *pw)
 {
 #ifdef HAVE_INITGROUPS
   errno = 0;
   if (initgroups (pw->pw_name, pw->pw_gid) == -1)
-    error (EXIT_CANCELED, errno, _("cannot set groups"));
+    {
+#ifdef USE_PAM
+      cleanup_pam (PAM_ABORT);
+#endif
+      error (EXIT_FAILURE, errno, _("cannot set groups"));
+    }
   endgrent ();
 #endif
+
+#ifdef USE_PAM
+  retval = pam_setcred (pamh, PAM_ESTABLISH_CRED);
+  if (retval != PAM_SUCCESS)
+    error (EXIT_FAILURE, 0, "%s", pam_strerror (pamh, retval));
+  else
+    _pam_cred_established = 1;
+#endif
+}
+
+static void
+change_identity (const struct passwd *pw)
+{
   if (setgid (pw->pw_gid))
     error (EXIT_CANCELED, errno, _("cannot set group id"));
   if (setuid (pw->pw_uid))
@@ -500,9 +746,21 @@ main (int argc, char **argv)
       shell = NULL;
     }
   shell = xstrdup (shell ? shell : pw->pw_shell);
-  modify_environment (pw, shell);
+
+  init_groups (pw);
+
+#ifdef USE_PAM
+  create_watching_parent ();
+  /* Now we're in the child.  */
+#endif
 
   change_identity (pw);
+
+  /* Set environment after pam_open_session, which may put KRB5CCNAME
+     into the pam_env, etc.  */
+
+  modify_environment (pw, shell);
+
   if (simulate_login && chdir (pw->pw_dir) != 0)
     error (0, errno, _("warning: cannot change directory to %s"), pw->pw_dir);
 
-- 
1.7.1





Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 12:37:02 GMT) Full text and rfc822 format available.

Message #8 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Ludwig Nussel <ludwig.nussel <at> suse.de>
To: 7572 <at> debbugs.gnu.org
Subject: ping
Date: Thu, 9 Jun 2011 14:36:16 +0200
Hi,

Are there any concerns with the patch? It would be really nice to
have this merged upstream to avoid further fragmentation.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 




Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 13:16:01 GMT) Full text and rfc822 format available.

Message #11 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Ludwig Nussel <ludwig.nussel <at> suse.de>
Cc: 7572 <at> debbugs.gnu.org
Subject: [PATCH] PAM support for su  [Re: bug#7572: ping
Date: Thu, 09 Jun 2011 15:15:47 +0200
Ludwig Nussel wrote:
> Are there any concerns with the patch? It would be really nice to
> have this merged upstream to avoid further fragmentation.

Hi Ludwig,

The main concern is that by default coreutils doesn't even build su anymore.

However, if this makes it easier on Fedora and Suse packagers, then
I suppose it's worthwhile.

If you'd like to pursue the matter, there are a few missing pieces:

 - Ensure that "make syntax-check" still passes with this patch.
   I see cpp indentation that may fail the test that runs cppi.
   That test is run only when cppi is installed, so you may have
   to install it.

 - it will need a ChangeLog entry, including attribution if you can
   dig that up.

 - I haven't looked carefully, but considering the size, I'd be
   surprised if there is no need to document changes -- in
   coreutils.texi

 - include a NEWS entry

 - tests would be most welcome, but I won't insist on those


Jim




Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 13:46:02 GMT) Full text and rfc822 format available.

Message #14 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Ludwig Nussel <ludwig.nussel <at> suse.de>
To: Jim Meyering <jim <at> meyering.net>
Cc: 7572 <at> debbugs.gnu.org
Subject: Re: [PATCH] PAM support for su
Date: Thu, 9 Jun 2011 15:45:29 +0200
Jim Meyering wrote:
> Ludwig Nussel wrote:
> > Are there any concerns with the patch? It would be really nice to
> > have this merged upstream to avoid further fragmentation.
> 
> The main concern is that by default coreutils doesn't even build su anymore.

Does that mean you intend to drop su from coreutils? If so is there
any suggested alternative? Should we move su to e.g. util-linux
instead?

> However, if this makes it easier on Fedora and Suse packagers, then
> I suppose it's worthwhile.
> 
> If you'd like to pursue the matter, there are a few missing pieces:
> 
>  - Ensure that "make syntax-check" still passes with this patch.
>    I see cpp indentation that may fail the test that runs cppi.
>    That test is run only when cppi is installed, so you may have
>    to install it.
>
>  - it will need a ChangeLog entry, including attribution if you can
>    dig that up.

Ok, I'll check both.

>  - I haven't looked carefully, but considering the size, I'd be
>    surprised if there is no need to document changes -- in
>    coreutils.texi

Yes. Our package actually has a separate patch that modifies the
docu. For upstream the pam support is optional though so any
addition to coreutils.texi would need to be conditional I suppose.
So we'd need e.g. a coreutils.texi.in that gets rewritten by
configure.

>  - include a NEWS entry

ok

>  - tests would be most welcome, but I won't insist on those

Hmm, I'm not sure that's feasible. Tests would need to run as
root and they'd likely have to modify /etc/pam.d.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 




Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 14:04:02 GMT) Full text and rfc822 format available.

Message #17 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Ludwig Nussel <ludwig.nussel <at> suse.de>
Cc: 7572 <at> debbugs.gnu.org
Subject: Re: bug#7572: [PATCH] PAM support for su
Date: Thu, 09 Jun 2011 16:03:20 +0200
Ludwig Nussel wrote:
> Jim Meyering wrote:
>> Ludwig Nussel wrote:
>> > Are there any concerns with the patch? It would be really nice to
>> > have this merged upstream to avoid further fragmentation.
>>
>> The main concern is that by default coreutils doesn't even build su anymore.
>
> Does that mean you intend to drop su from coreutils? If so is there

I would have dropped it long ago but for some distributions
for which the switch to e.g., util-linux was not an option.

> any suggested alternative? Should we move su to e.g. util-linux
> instead?

It's worth considering.

>> However, if this makes it easier on Fedora and Suse packagers, then
>> I suppose it's worthwhile.
>>
>> If you'd like to pursue the matter, there are a few missing pieces:
>>
>>  - Ensure that "make syntax-check" still passes with this patch.
>>    I see cpp indentation that may fail the test that runs cppi.
>>    That test is run only when cppi is installed, so you may have
>>    to install it.
>>
>>  - it will need a ChangeLog entry, including attribution if you can
>>    dig that up.
>
> Ok, I'll check both.
>
>>  - I haven't looked carefully, but considering the size, I'd be
>>    surprised if there is no need to document changes -- in
>>    coreutils.texi
>
> Yes. Our package actually has a separate patch that modifies the
> docu. For upstream the pam support is optional though so any
> addition to coreutils.texi would need to be conditional I suppose.
> So we'd need e.g. a coreutils.texi.in that gets rewritten by
> configure.

Simpler is to start a paragraph/section with a few words saying that
some additional functionality is available when PAM support is enabled.

>>  - include a NEWS entry
>
> ok
>
>>  - tests would be most welcome, but I won't insist on those
>
> Hmm, I'm not sure that's feasible. Tests would need to run as
> root and they'd likely have to modify /etc/pam.d.

root-only tests are not a problem.
There are already quite a few.  For examples,
see the scripts under tests/ that use "require_root_".
However, as you imply, if the only way to test is
by changing the likes of /etc/pam.d, then it's easy:
automated tests are not an option ;-)




Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 14:30:03 GMT) Full text and rfc822 format available.

Message #20 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Ludwig Nussel <ludwig.nussel <at> suse.de>
To: Jim Meyering <jim <at> meyering.net>
Cc: 7572 <at> debbugs.gnu.org
Subject: Re: bug#7572: [PATCH] PAM support for su
Date: Thu, 9 Jun 2011 16:29:39 +0200
Jim Meyering wrote:
> Ludwig Nussel wrote:
> > Jim Meyering wrote:
> >> Ludwig Nussel wrote:
> >> > Are there any concerns with the patch? It would be really nice to
> >> > have this merged upstream to avoid further fragmentation.
> >>
> >> The main concern is that by default coreutils doesn't even build su anymore.
> >
> > Does that mean you intend to drop su from coreutils? If so is there
> 
> I would have dropped it long ago but for some distributions
> for which the switch to e.g., util-linux was not an option.

Well, those who prefer a bit rotten su.c could still fetch one from
an old coreutils archive if it's dropped in newer versions :-)

> > any suggested alternative? Should we move su to e.g. util-linux
> > instead?
> 
> It's worth considering.

Ok. I'll ask on the util-linux list then.

> [...]
> >>  - tests would be most welcome, but I won't insist on those
> >
> > Hmm, I'm not sure that's feasible. Tests would need to run as
> > root and they'd likely have to modify /etc/pam.d.
> 
> root-only tests are not a problem.
> There are already quite a few.  For examples,
> see the scripts under tests/ that use "require_root_".
> However, as you imply, if the only way to test is
> by changing the likes of /etc/pam.d, then it's easy:
> automated tests are not an option ;-)

One needs to install two files there to tell pam which modules to
activate. If the system already has them from the distro there might
be a conflict due to different content.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 




Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 14:39:02 GMT) Full text and rfc822 format available.

Message #23 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Ben Walton <bwalton <at> artsci.utoronto.ca>
To: Jim Meyering <jim <at> meyering.net>
Cc: 7572 <7572 <at> debbugs.gnu.org>, Ludwig Nussel <ludwig.nussel <at> suse.de>
Subject: Re: bug#7572: [PATCH] PAM support for su
Date: Thu, 09 Jun 2011 10:38:12 -0400
Excerpts from Jim Meyering's message of Thu Jun 09 10:03:20 -0400 2011:

Hi Jim,

> > Does that mean you intend to drop su from coreutils? If so is there
> 
> I would have dropped it long ago but for some distributions
> for which the switch to e.g., util-linux was not an option.

I would miss this greatly in the OpenCSW coreutils package for
Solaris.  The su in coreutils is much nicer than the native one. :)
I'd understand if you dropped it, but I'll voice my preference
regardless.

Thanks
-Ben
--
Ben Walton
Systems Programmer - CHASS
University of Toronto
C:416.407.5610 | W:416.978.4302





Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 14:41:01 GMT) Full text and rfc822 format available.

Message #26 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: "Voelker, Bernhard" <bernhard.voelker <at> siemens-enterprise.com>
To: Jim Meyering <jim <at> meyering.net>, Ludwig Nussel <ludwig.nussel <at> suse.de>
Cc: "7572 <at> debbugs.gnu.org" <7572 <at> debbugs.gnu.org>
Subject: RE: bug#7572: [PATCH] PAM support for su
Date: Thu, 9 Jun 2011 16:40:30 +0200
Jim Meyering wrote:
> Ludwig Nussel wrote:
>> Jim Meyering wrote:
>>>  - tests would be most welcome, but I won't insist on those
>>
>> Hmm, I'm not sure that's feasible. Tests would need to run as
>> root and they'd likely have to modify /etc/pam.d.
>
> root-only tests are not a problem.
> There are already quite a few.  For examples,
> see the scripts under tests/ that use "require_root_".
> However, as you imply, if the only way to test is
> by changing the likes of /etc/pam.d, then it's easy:
> automated tests are not an option ;-)

maybe in a temporary chroot (unless that's overkill)?

--
Have a nice day,
Berny







Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Thu, 09 Jun 2011 15:04:03 GMT) Full text and rfc822 format available.

Message #29 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Ben Walton <bwalton <at> artsci.utoronto.ca>
Cc: 7572 <7572 <at> debbugs.gnu.org>, Ludwig Nussel <ludwig.nussel <at> suse.de>
Subject: Re: bug#7572: [PATCH] PAM support for su
Date: Thu, 09 Jun 2011 17:03:08 +0200
Ben Walton wrote:
> Excerpts from Jim Meyering's message of Thu Jun 09 10:03:20 -0400 2011:
>> > Does that mean you intend to drop su from coreutils? If so is there
>>
>> I would have dropped it long ago but for some distributions
>> for which the switch to e.g., util-linux was not an option.
>
> I would miss this greatly in the OpenCSW coreutils package for
> Solaris.  The su in coreutils is much nicer than the native one. :)
> I'd understand if you dropped it, but I'll voice my preference
> regardless.

I don't plan to remove it.
The compromise I settled on 3.5 years ago was to do this:

    * Noteworthy changes in release 6.9.90 (2007-12-01) [beta]
    ...
    ** Programs no longer installed by default

      hostname, su

    ...
    ** New build options

      By default, "make install" no longer attempts to install (or even build) su.
      To change that, use ./configure --enable-install-program=su.
      If you also want to install the new "arch" program, do this:
      ./configure --enable-install-program=arch,su.

      You can inhibit the compilation and installation of selected programs
      at configure time.  For example, to avoid installing "hostname" and
      "uptime", use ./configure --enable-no-install-program=hostname,uptime
      Note: currently, "make check" passes, even when arch and su are not
      built (that's the new default).  However, if you inhibit the building
      and installation of other programs, don't be surprised if some parts
      of "make check" fail.




Information forwarded to owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Sat, 23 Jul 2011 12:20:02 GMT) Full text and rfc822 format available.

Message #32 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Ludwig Nussel <ludwig.nussel <at> suse.de>
Cc: 7572 <at> debbugs.gnu.org
Subject: Re: bug#7572: ping
Date: Sat, 23 Jul 2011 14:19:39 +0200
Ludwig Nussel wrote:
> Are there any concerns with the patch? It would be really nice to
> have this merged upstream to avoid further fragmentation.

If you now have a complete patch (including documentation, NEWS update
and a good ChangeLog), please post it.

Or, if you opted not to pursue this, please just close this issue
by Cc'ing 7572-done <at> debbugs.gnu.org with your reply.




Reply sent to Ludwig Nussel <ludwig.nussel <at> suse.de>:
You have taken responsibility. (Tue, 29 May 2012 15:03:02 GMT) Full text and rfc822 format available.

Notification sent to Ludwig Nussel <ludwig.nussel <at> suse.de>:
bug acknowledged by developer. (Tue, 29 May 2012 15:03:04 GMT) Full text and rfc822 format available.

Message #37 received at 7572-done <at> debbugs.gnu.org (full text, mbox):

From: Ludwig Nussel <ludwig.nussel <at> suse.de>
To: 7572-done <at> debbugs.gnu.org
Subject: merged into util-linux
Date: Tue, 29 May 2012 17:00:27 +0200
Hi,

A pam aware su has now been merged into util-linux. This issue can
therefore be closed.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) 




Information forwarded to bug-coreutils <at> gnu.org:
bug#7572; Package coreutils. (Tue, 29 May 2012 15:08:01 GMT) Full text and rfc822 format available.

Message #40 received at 7572 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: 7572 <at> debbugs.gnu.org
Cc: ludwig.nussel <at> suse.de
Subject: Re: bug#7572: merged into util-linux
Date: Tue, 29 May 2012 17:05:48 +0200
Ludwig Nussel wrote:
> A pam aware su has now been merged into util-linux. This issue can
> therefore be closed.

Thanks for the follow-up.
I'll post a patch removing su from coreutils separately.




bug archived. Request was from Debbugs Internal Request <help-debbugs <at> gnu.org> to internal_control <at> debbugs.gnu.org. (Wed, 27 Jun 2012 11:24:04 GMT) Full text and rfc822 format available.

This bug report was last modified 11 years and 278 days ago.

Previous Next


GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.