GNU bug report logs - #8700
Simple way to switch user/group permissions without requiring PAM sessions

Previous Next

To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 8700 in the body.
You can then email your comments to 8700 AT debbugs.gnu.org in the normal way.

Toggle the display of automated, internal messages from the tracker.

Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):

From: Colin Watson <cjwatson <at> debian.org>
To: bug-coreutils <at> gnu.org
Cc: Ian Jackson <ijackson <at> chiark.greenend.org.uk>
Subject: Simple way to switch user/group permissions without requiring PAM
	sessions
Date: Thu, 19 May 2011 14:13:39 +0100

Every so often I wish that there existed (preferably in the Debian base
system) a tool analogous to chroot that drops privileges from root to a
nominated user, group, etc. and runs a given program.

Of course I do know about su, sudo, etc., but:

 * su and sudo are often configured to start a PAM session with noisy
   logging etc.;

 * su has a messy historical command-line syntax that requires fiddly
   quoting;

 * sudo isn't installed everywhere;

 * these programs all have lots of authentication baggage, which is
   thoroughly overkill when I'm writing shell scripts that run as root
   and just want to quickly run a program as some other user.

One example of when I want to use this is in Debian's
/etc/cron.daily/man-db script.  Towards the end of this, I want to run
the mandb program as the 'man' user.  I ended up using Debian's
start-stop-daemon, which happens to be able to run something in the
foreground as a different user; but mandb is not a daemon,
start-stop-daemon isn't universal, and so this all feels like a hack.

In other similar situations I've ended up with a couple of lines of
Perl, something like:

    perl -e '@pwd = getpwnam("man"); $( = $) = $pwd[3]; $< = $> = $pwd[2];
             exec "/usr/bin/mandb", @ARGV' -- "$@"

Again, though: punctuation-heavy, not trivial to get exactly right,
delicate quoting, and so on.

It seems to me that we could use something which can do ID switches away
from root without all the authentication stuff, and could be simple
enough to go in coreutils and ultimately end up on all GNUish systems.
When I complained about the lack of this on a local IRC channel, Ian
Jackson (CCed) pointed out that his 'really' tool is pretty close to
this; it does have some very simple authentication code, but that's easy
to strip out, and the rest is almost identical to what I'd want to see
in such a tool.  He did say that he'd prefer it not to be called
'really' if it's not installed setuid; I suggest 'chid' by analogy with
chroot, chcon, etc.

The source for 'really' is here (and though while I can't speak for him
I suspect Ian would be happy to do FSF assignment and such, since he's
already a GNU maintainer):

  http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=tree;f=cprogs

Another piece of prior art is the 'runas' tool in titantools.  However,
this is under a non-free licence and its command line interface is not
all that great IMO, so it's probably only useful to know about it to
avoid using the same (tempting) name.

Thanks,

-- 
Colin Watson                                       [cjwatson <at> debian.org]

Message #8 received at 8700 <at> debbugs.gnu.org (full text, mbox):

From: Jim Meyering <jim <at> meyering.net>
To: Colin Watson <cjwatson <at> debian.org>
Cc: 8700 <at> debbugs.gnu.org, Ian Jackson <ijackson <at> chiark.greenend.org.uk>
Subject: Re: bug#8700: Simple way to switch user/group permissions without
	requiring PAM sessions
Date: Thu, 19 May 2011 16:22:10 +0200

Colin Watson wrote:
> Every so often I wish that there existed (preferably in the Debian base
> system) a tool analogous to chroot that drops privileges from root to a
> nominated user, group, etc. and runs a given program.
>
> Of course I do know about su, sudo, etc., but:
>
>  * su and sudo are often configured to start a PAM session with noisy
>    logging etc.;
>
>  * su has a messy historical command-line syntax that requires fiddly
>    quoting;
>
>  * sudo isn't installed everywhere;
>
>  * these programs all have lots of authentication baggage, which is
>    thoroughly overkill when I'm writing shell scripts that run as root
>    and just want to quickly run a program as some other user.
>
> One example of when I want to use this is in Debian's
> /etc/cron.daily/man-db script.  Towards the end of this, I want to run
> the mandb program as the 'man' user.  I ended up using Debian's
> start-stop-daemon, which happens to be able to run something in the
> foreground as a different user; but mandb is not a daemon,
> start-stop-daemon isn't universal, and so this all feels like a hack.
>
> In other similar situations I've ended up with a couple of lines of
> Perl, something like:
>
>     perl -e '@pwd = getpwnam("man"); $( = $) = $pwd[3]; $< = $> = $pwd[2];
>              exec "/usr/bin/mandb", @ARGV' -- "$@"
>
> Again, though: punctuation-heavy, not trivial to get exactly right,
> delicate quoting, and so on.
>
> It seems to me that we could use something which can do ID switches away
> from root without all the authentication stuff, and could be simple
> enough to go in coreutils and ultimately end up on all GNUish systems.
> When I complained about the lack of this on a local IRC channel, Ian
> Jackson (CCed) pointed out that his 'really' tool is pretty close to
> this; it does have some very simple authentication code, but that's easy
> to strip out, and the rest is almost identical to what I'd want to see
> in such a tool.  He did say that he'd prefer it not to be called
> 'really' if it's not installed setuid; I suggest 'chid' by analogy with
> chroot, chcon, etc.
>
> The source for 'really' is here (and though while I can't speak for him
> I suspect Ian would be happy to do FSF assignment and such, since he's
> already a GNU maintainer):
>
>   http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=tree;f=cprogs
>
> Another piece of prior art is the 'runas' tool in titantools.  However,
> this is under a non-free licence and its command line interface is not
> all that great IMO, so it's probably only useful to know about it to
> avoid using the same (tempting) name.

Hi Colin,
coreutils already has a minimalist src/setuidgid.c, but currently it's
not installed.  Rather, it is used only when running the test suite:

  $ ./setuidgid --help
  Usage: ./setuidgid [SHORT-OPTION]... USER COMMAND [ARGUMENT]...
    or:  ./setuidgid LONG-OPTION
  Drop any supplemental groups, assume the user-ID and group-ID of the specified
  USER (numeric ID or user name), and run COMMAND with any specified ARGUMENTs.
  Exit with status 111 if unable to assume the required user and group ID.
  Otherwise, exit with the exit status of COMMAND.
  This program is useful only when run by root (user ID zero).

    -g GID[,GID1...]  also set the primary group-ID to the numeric GID, and
                      (if specified) supplemental group IDs to GID1, ...
        --help     display this help and exit
        --version  output version information and exit

Does that do what you'd like?
If so, do you feel like writing a few words in coreutils.texi
so this part of it's --help is no longer a lie?

    For complete documentation, run: info coreutils 'setuidgid invocation'

Also, if we're going to install it, we'd have to have a few tests,
just for it, to exercise its functionality.

I like your proposed name of "chid".

I took a peek at "really" and see that it has several more options
than setuidgid.  If you'd expect to use some of those, we should
discuss.  For example, is --chroot just a convenience?  It'd be
useful to explain in the documentation when/how it can be useful.

I'm game if you are willing to write the patch, with documentation and tests.

Jim

Message #11 received at 8700 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Jim Meyering <jim <at> meyering.net>
Cc: 8700 <at> debbugs.gnu.org, Colin Watson <cjwatson <at> debian.org>,
	Ian Jackson <ijackson <at> chiark.greenend.org.uk>
Subject: Re: bug#8700: Simple way to switch user/group permissions without
	requiring PAM sessions
Date: Wed, 28 Mar 2012 16:26:37 +0100

On 05/19/2011 03:22 PM, Jim Meyering wrote:
> Colin Watson wrote:
>> Every so often I wish that there existed (preferably in the Debian base
>> system) a tool analogous to chroot that drops privileges from root to a
>> nominated user, group, etc. and runs a given program.
>>
>> Of course I do know about su, sudo, etc., but:
>>
>>  * su and sudo are often configured to start a PAM session with noisy
>>    logging etc.;
>>
>>  * su has a messy historical command-line syntax that requires fiddly
>>    quoting;
>>
>>  * sudo isn't installed everywhere;
>>
>>  * these programs all have lots of authentication baggage, which is
>>    thoroughly overkill when I'm writing shell scripts that run as root
>>    and just want to quickly run a program as some other user.
>>
>> One example of when I want to use this is in Debian's
>> /etc/cron.daily/man-db script.  Towards the end of this, I want to run
>> the mandb program as the 'man' user.  I ended up using Debian's
>> start-stop-daemon, which happens to be able to run something in the
>> foreground as a different user; but mandb is not a daemon,
>> start-stop-daemon isn't universal, and so this all feels like a hack.
>>
>> In other similar situations I've ended up with a couple of lines of
>> Perl, something like:
>>
>>     perl -e '@pwd = getpwnam("man"); $( = $) = $pwd[3]; $< = $> = $pwd[2];
>>              exec "/usr/bin/mandb", @ARGV' -- "$@"
>>
>> Again, though: punctuation-heavy, not trivial to get exactly right,
>> delicate quoting, and so on.
>>
>> It seems to me that we could use something which can do ID switches away
>> from root without all the authentication stuff, and could be simple
>> enough to go in coreutils and ultimately end up on all GNUish systems.
>> When I complained about the lack of this on a local IRC channel, Ian
>> Jackson (CCed) pointed out that his 'really' tool is pretty close to
>> this; it does have some very simple authentication code, but that's easy
>> to strip out, and the rest is almost identical to what I'd want to see
>> in such a tool.  He did say that he'd prefer it not to be called
>> 'really' if it's not installed setuid; I suggest 'chid' by analogy with
>> chroot, chcon, etc.
>>
>> The source for 'really' is here (and though while I can't speak for him
>> I suspect Ian would be happy to do FSF assignment and such, since he's
>> already a GNU maintainer):
>>
>>   http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=tree;f=cprogs
>>
>> Another piece of prior art is the 'runas' tool in titantools.  However,
>> this is under a non-free licence and its command line interface is not
>> all that great IMO, so it's probably only useful to know about it to
>> avoid using the same (tempting) name.
> 
> Hi Colin,
> coreutils already has a minimalist src/setuidgid.c, but currently it's
> not installed.  Rather, it is used only when running the test suite:
> 
>   $ ./setuidgid --help
>   Usage: ./setuidgid [SHORT-OPTION]... USER COMMAND [ARGUMENT]...
>     or:  ./setuidgid LONG-OPTION
>   Drop any supplemental groups, assume the user-ID and group-ID of the specified
>   USER (numeric ID or user name), and run COMMAND with any specified ARGUMENTs.
>   Exit with status 111 if unable to assume the required user and group ID.
>   Otherwise, exit with the exit status of COMMAND.
>   This program is useful only when run by root (user ID zero).
> 
>     -g GID[,GID1...]  also set the primary group-ID to the numeric GID, and
>                       (if specified) supplemental group IDs to GID1, ...
>         --help     display this help and exit
>         --version  output version information and exit
> 
> Does that do what you'd like?
> If so, do you feel like writing a few words in coreutils.texi
> so this part of it's --help is no longer a lie?
> 
>     For complete documentation, run: info coreutils 'setuidgid invocation'
> 
> Also, if we're going to install it, we'd have to have a few tests,
> just for it, to exercise its functionality.
> 
> I like your proposed name of "chid".
> 
> I took a peek at "really" and see that it has several more options
> than setuidgid.  If you'd expect to use some of those, we should
> discuss.  For example, is --chroot just a convenience?  It'd be
> useful to explain in the documentation when/how it can be useful.
> 
> I'm game if you are willing to write the patch, with documentation and tests.

This is essentially what the runuser command from Fedora does,
and that is based on the coreutils su command.
How about we just incorporate `runuser` into coreutils upstream?

cheers,
Pádraig.

Message #14 received at 8700 <at> debbugs.gnu.org (full text, mbox):

From: Ian Jackson <ijackson <at> chiark.greenend.org.uk>
To: Pádraig Brady <P <at> draigBrady.com>
Cc: 8700 <at> debbugs.gnu.org, Jim Meyering <jim <at> meyering.net>,
	Colin Watson <cjwatson <at> debian.org>
Subject: Re: bug#8700: Simple way to switch user/group permissions without
	requiring PAM sessions
Date: Wed, 28 Mar 2012 17:09:51 +0100

Pádraig Brady writes ("Re: bug#8700: Simple way to switch user/group permissions without requiring PAM sessions"):
> On 05/19/2011 03:22 PM, Jim Meyering wrote:
> > Colin Watson wrote:
> >> Every so often I wish that there existed (preferably in the Debian base
> >> system) a tool analogous to chroot that drops privileges from root to a
> >> nominated user, group, etc. and runs a given program.

chiark-really (Source: chiark-utils) has "really" which can do this,
but of course it's not in Debian base and being set-id for its other
purpose it's probably not suitable.

OTOH the code is trivial and the behaviour is I think exactly as
desired.

Ian.

Message #17 received at 8700 <at> debbugs.gnu.org (full text, mbox):

From: Pádraig Brady <P <at> draigBrady.com>
To: Jim Meyering <jim <at> meyering.net>
Cc: hurd-devel <at> gnu.org, Karel Zak <kzak <at> redhat.com>,
	Ludwig Nussel <ludwig.nussel <at> suse.de>,
	Coreutils <coreutils <at> gnu.org>, 8700 <at> debbugs.gnu.org,
	Ondřej Vašík <ovasik <at> redhat.com>
Subject: Re: removing "su" from coreutils [Re: Fwd: [PULL] su
Date: Mon, 20 Aug 2012 10:24:05 +0100

On 05/24/2012 02:50 PM, Pádraig Brady wrote:
> Note Fedora and Suse use su from coreutils
> while debian use their own:
> http://pkg-shadow.alioth.debian.org/
> 
> Note also Fedora has `runuser` which is based on su:
> http://pkgs.fedoraproject.org/gitweb/?p=coreutils.git;a=blob;f=coreutils-8.7-runuser.patch;hb=HEAD
> 
> There was also a very related request for
> `runuser` like functionality to be generally available:
> http://bugs.gnu.org/8700
> 
> It's probably worth bringing runuser with su,
> no matter where they end up.

So with su being removed in favor of the util-linux implementation,
`runuser` is being implemented there too.
I.E. it will be available outside of redhat/fedora/centos/...
in util-linux >= 2.22, and so should address http://bugs.gnu.org/8700

Note from previous comments in this thread,
it seems like allowing runser to be built (as an option?)
without requiring PAM, would be useful.

For reference, here are utils with similar functionality:

chid,really
  Mentioned in feature request from debian
    http://bugs.gnu.org/8700

chroot --userspec=U:G --groups=G1,G2,G3 /
  since coreutils v7.4-16-gc45c51f
  beware of CVE-2005-4890

setuidgid
  coreutils internal only
  http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=blob;f=src/setuidgid.c;hb=HEAD

sg from pwdutils
  http://pubs.opengroup.org/onlinepubs/9699919799/utilities/newgrp.html

sudo -u -g

runas from titantools


cheers,
Pádraig.

Message #20 received at 8700 <at> debbugs.gnu.org (full text, mbox):

From: Karel Zak <kzak <at> redhat.com>
To: Pádraig Brady <P <at> draigBrady.com>
Cc: hurd-devel <at> gnu.org, Jim Meyering <jim <at> meyering.net>,
	Ludwig Nussel <ludwig.nussel <at> suse.de>,
	Coreutils <coreutils <at> gnu.org>, 8700 <at> debbugs.gnu.org,
	Ondřej Vašík <ovasik <at> redhat.com>
Subject: Re: removing "su" from coreutils [Re: Fwd: [PULL] su
Date: Mon, 20 Aug 2012 20:36:10 +0200

On Mon, Aug 20, 2012 at 10:24:05AM +0100, Pádraig Brady wrote:
> On 05/24/2012 02:50 PM, Pádraig Brady wrote:
> > Note Fedora and Suse use su from coreutils
> > while debian use their own:
> > http://pkg-shadow.alioth.debian.org/
> > 
> > Note also Fedora has `runuser` which is based on su:
> > http://pkgs.fedoraproject.org/gitweb/?p=coreutils.git;a=blob;f=coreutils-8.7-runuser.patch;hb=HEAD
> > 
> > There was also a very related request for
> > `runuser` like functionality to be generally available:
> > http://bugs.gnu.org/8700
> > 
> > It's probably worth bringing runuser with su,
> > no matter where they end up.
> 
> So with su being removed in favor of the util-linux implementation,
> `runuser` is being implemented there too.
> I.E. it will be available outside of redhat/fedora/centos/...
> in util-linux >= 2.22, and so should address http://bugs.gnu.org/8700

 My plan is to merge Fedora runuser patch (it means add -g -G options
 to su(1)) after 2.22. It's too late for 2.22 (as we have -rc2 now).

 The patch will be available ASAP after 2.22 release in the util-linux
 upstream tree and maybe will be in 2.22.1 too.

> Note from previous comments in this thread,
> it seems like allowing runser to be built (as an option?)
> without requiring PAM, would be useful.
> 
> For reference, here are utils with similar functionality:

 Thanks for the references!

    Karel

-- 
 Karel Zak  <kzak <at> redhat.com>
 http://karelzak.blogspot.com

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.