GNU bug report logs -
#8700
Simple way to switch user/group permissions without requiring PAM sessions
Previous Next
Reported by: Colin Watson <cjwatson <at> debian.org>
Date: Thu, 19 May 2011 13:14:03 UTC
Severity: normal
Tags: wontfix
Done: Assaf Gordon <assafgordon <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 8700 in the body.
You can then email your comments to 8700 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org
:
bug#8700
; Package
coreutils
.
(Thu, 19 May 2011 13:14:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Colin Watson <cjwatson <at> debian.org>
:
New bug report received and forwarded. Copy sent to
bug-coreutils <at> gnu.org
.
(Thu, 19 May 2011 13:14:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
Every so often I wish that there existed (preferably in the Debian base
system) a tool analogous to chroot that drops privileges from root to a
nominated user, group, etc. and runs a given program.
Of course I do know about su, sudo, etc., but:
* su and sudo are often configured to start a PAM session with noisy
logging etc.;
* su has a messy historical command-line syntax that requires fiddly
quoting;
* sudo isn't installed everywhere;
* these programs all have lots of authentication baggage, which is
thoroughly overkill when I'm writing shell scripts that run as root
and just want to quickly run a program as some other user.
One example of when I want to use this is in Debian's
/etc/cron.daily/man-db script. Towards the end of this, I want to run
the mandb program as the 'man' user. I ended up using Debian's
start-stop-daemon, which happens to be able to run something in the
foreground as a different user; but mandb is not a daemon,
start-stop-daemon isn't universal, and so this all feels like a hack.
In other similar situations I've ended up with a couple of lines of
Perl, something like:
perl -e '@pwd = getpwnam("man"); $( = $) = $pwd[3]; $< = $> = $pwd[2];
exec "/usr/bin/mandb", @ARGV' -- "$@"
Again, though: punctuation-heavy, not trivial to get exactly right,
delicate quoting, and so on.
It seems to me that we could use something which can do ID switches away
from root without all the authentication stuff, and could be simple
enough to go in coreutils and ultimately end up on all GNUish systems.
When I complained about the lack of this on a local IRC channel, Ian
Jackson (CCed) pointed out that his 'really' tool is pretty close to
this; it does have some very simple authentication code, but that's easy
to strip out, and the rest is almost identical to what I'd want to see
in such a tool. He did say that he'd prefer it not to be called
'really' if it's not installed setuid; I suggest 'chid' by analogy with
chroot, chcon, etc.
The source for 'really' is here (and though while I can't speak for him
I suspect Ian would be happy to do FSF assignment and such, since he's
already a GNU maintainer):
http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=tree;f=cprogs
Another piece of prior art is the 'runas' tool in titantools. However,
this is under a non-free licence and its command line interface is not
all that great IMO, so it's probably only useful to know about it to
avoid using the same (tempting) name.
Thanks,
--
Colin Watson [cjwatson <at> debian.org]
Information forwarded
to
owner <at> debbugs.gnu.org, bug-coreutils <at> gnu.org
:
bug#8700
; Package
coreutils
.
(Thu, 19 May 2011 14:23:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 8700 <at> debbugs.gnu.org (full text, mbox):
Colin Watson wrote:
> Every so often I wish that there existed (preferably in the Debian base
> system) a tool analogous to chroot that drops privileges from root to a
> nominated user, group, etc. and runs a given program.
>
> Of course I do know about su, sudo, etc., but:
>
> * su and sudo are often configured to start a PAM session with noisy
> logging etc.;
>
> * su has a messy historical command-line syntax that requires fiddly
> quoting;
>
> * sudo isn't installed everywhere;
>
> * these programs all have lots of authentication baggage, which is
> thoroughly overkill when I'm writing shell scripts that run as root
> and just want to quickly run a program as some other user.
>
> One example of when I want to use this is in Debian's
> /etc/cron.daily/man-db script. Towards the end of this, I want to run
> the mandb program as the 'man' user. I ended up using Debian's
> start-stop-daemon, which happens to be able to run something in the
> foreground as a different user; but mandb is not a daemon,
> start-stop-daemon isn't universal, and so this all feels like a hack.
>
> In other similar situations I've ended up with a couple of lines of
> Perl, something like:
>
> perl -e '@pwd = getpwnam("man"); $( = $) = $pwd[3]; $< = $> = $pwd[2];
> exec "/usr/bin/mandb", @ARGV' -- "$@"
>
> Again, though: punctuation-heavy, not trivial to get exactly right,
> delicate quoting, and so on.
>
> It seems to me that we could use something which can do ID switches away
> from root without all the authentication stuff, and could be simple
> enough to go in coreutils and ultimately end up on all GNUish systems.
> When I complained about the lack of this on a local IRC channel, Ian
> Jackson (CCed) pointed out that his 'really' tool is pretty close to
> this; it does have some very simple authentication code, but that's easy
> to strip out, and the rest is almost identical to what I'd want to see
> in such a tool. He did say that he'd prefer it not to be called
> 'really' if it's not installed setuid; I suggest 'chid' by analogy with
> chroot, chcon, etc.
>
> The source for 'really' is here (and though while I can't speak for him
> I suspect Ian would be happy to do FSF assignment and such, since he's
> already a GNU maintainer):
>
> http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=tree;f=cprogs
>
> Another piece of prior art is the 'runas' tool in titantools. However,
> this is under a non-free licence and its command line interface is not
> all that great IMO, so it's probably only useful to know about it to
> avoid using the same (tempting) name.
Hi Colin,
coreutils already has a minimalist src/setuidgid.c, but currently it's
not installed. Rather, it is used only when running the test suite:
$ ./setuidgid --help
Usage: ./setuidgid [SHORT-OPTION]... USER COMMAND [ARGUMENT]...
or: ./setuidgid LONG-OPTION
Drop any supplemental groups, assume the user-ID and group-ID of the specified
USER (numeric ID or user name), and run COMMAND with any specified ARGUMENTs.
Exit with status 111 if unable to assume the required user and group ID.
Otherwise, exit with the exit status of COMMAND.
This program is useful only when run by root (user ID zero).
-g GID[,GID1...] also set the primary group-ID to the numeric GID, and
(if specified) supplemental group IDs to GID1, ...
--help display this help and exit
--version output version information and exit
Does that do what you'd like?
If so, do you feel like writing a few words in coreutils.texi
so this part of it's --help is no longer a lie?
For complete documentation, run: info coreutils 'setuidgid invocation'
Also, if we're going to install it, we'd have to have a few tests,
just for it, to exercise its functionality.
I like your proposed name of "chid".
I took a peek at "really" and see that it has several more options
than setuidgid. If you'd expect to use some of those, we should
discuss. For example, is --chroot just a convenience? It'd be
useful to explain in the documentation when/how it can be useful.
I'm game if you are willing to write the patch, with documentation and tests.
Jim
Information forwarded
to
bug-coreutils <at> gnu.org
:
bug#8700
; Package
coreutils
.
(Wed, 28 Mar 2012 15:59:02 GMT)
Full text and
rfc822 format available.
Message #11 received at 8700 <at> debbugs.gnu.org (full text, mbox):
On 05/19/2011 03:22 PM, Jim Meyering wrote:
> Colin Watson wrote:
>> Every so often I wish that there existed (preferably in the Debian base
>> system) a tool analogous to chroot that drops privileges from root to a
>> nominated user, group, etc. and runs a given program.
>>
>> Of course I do know about su, sudo, etc., but:
>>
>> * su and sudo are often configured to start a PAM session with noisy
>> logging etc.;
>>
>> * su has a messy historical command-line syntax that requires fiddly
>> quoting;
>>
>> * sudo isn't installed everywhere;
>>
>> * these programs all have lots of authentication baggage, which is
>> thoroughly overkill when I'm writing shell scripts that run as root
>> and just want to quickly run a program as some other user.
>>
>> One example of when I want to use this is in Debian's
>> /etc/cron.daily/man-db script. Towards the end of this, I want to run
>> the mandb program as the 'man' user. I ended up using Debian's
>> start-stop-daemon, which happens to be able to run something in the
>> foreground as a different user; but mandb is not a daemon,
>> start-stop-daemon isn't universal, and so this all feels like a hack.
>>
>> In other similar situations I've ended up with a couple of lines of
>> Perl, something like:
>>
>> perl -e '@pwd = getpwnam("man"); $( = $) = $pwd[3]; $< = $> = $pwd[2];
>> exec "/usr/bin/mandb", @ARGV' -- "$@"
>>
>> Again, though: punctuation-heavy, not trivial to get exactly right,
>> delicate quoting, and so on.
>>
>> It seems to me that we could use something which can do ID switches away
>> from root without all the authentication stuff, and could be simple
>> enough to go in coreutils and ultimately end up on all GNUish systems.
>> When I complained about the lack of this on a local IRC channel, Ian
>> Jackson (CCed) pointed out that his 'really' tool is pretty close to
>> this; it does have some very simple authentication code, but that's easy
>> to strip out, and the rest is almost identical to what I'd want to see
>> in such a tool. He did say that he'd prefer it not to be called
>> 'really' if it's not installed setuid; I suggest 'chid' by analogy with
>> chroot, chcon, etc.
>>
>> The source for 'really' is here (and though while I can't speak for him
>> I suspect Ian would be happy to do FSF assignment and such, since he's
>> already a GNU maintainer):
>>
>> http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=tree;f=cprogs
>>
>> Another piece of prior art is the 'runas' tool in titantools. However,
>> this is under a non-free licence and its command line interface is not
>> all that great IMO, so it's probably only useful to know about it to
>> avoid using the same (tempting) name.
>
> Hi Colin,
> coreutils already has a minimalist src/setuidgid.c, but currently it's
> not installed. Rather, it is used only when running the test suite:
>
> $ ./setuidgid --help
> Usage: ./setuidgid [SHORT-OPTION]... USER COMMAND [ARGUMENT]...
> or: ./setuidgid LONG-OPTION
> Drop any supplemental groups, assume the user-ID and group-ID of the specified
> USER (numeric ID or user name), and run COMMAND with any specified ARGUMENTs.
> Exit with status 111 if unable to assume the required user and group ID.
> Otherwise, exit with the exit status of COMMAND.
> This program is useful only when run by root (user ID zero).
>
> -g GID[,GID1...] also set the primary group-ID to the numeric GID, and
> (if specified) supplemental group IDs to GID1, ...
> --help display this help and exit
> --version output version information and exit
>
> Does that do what you'd like?
> If so, do you feel like writing a few words in coreutils.texi
> so this part of it's --help is no longer a lie?
>
> For complete documentation, run: info coreutils 'setuidgid invocation'
>
> Also, if we're going to install it, we'd have to have a few tests,
> just for it, to exercise its functionality.
>
> I like your proposed name of "chid".
>
> I took a peek at "really" and see that it has several more options
> than setuidgid. If you'd expect to use some of those, we should
> discuss. For example, is --chroot just a convenience? It'd be
> useful to explain in the documentation when/how it can be useful.
>
> I'm game if you are willing to write the patch, with documentation and tests.
This is essentially what the runuser command from Fedora does,
and that is based on the coreutils su command.
How about we just incorporate `runuser` into coreutils upstream?
cheers,
Pádraig.
Information forwarded
to
bug-coreutils <at> gnu.org
:
bug#8700
; Package
coreutils
.
(Wed, 28 Mar 2012 17:58:02 GMT)
Full text and
rfc822 format available.
Message #14 received at 8700 <at> debbugs.gnu.org (full text, mbox):
Pádraig Brady writes ("Re: bug#8700: Simple way to switch user/group permissions without requiring PAM sessions"):
> On 05/19/2011 03:22 PM, Jim Meyering wrote:
> > Colin Watson wrote:
> >> Every so often I wish that there existed (preferably in the Debian base
> >> system) a tool analogous to chroot that drops privileges from root to a
> >> nominated user, group, etc. and runs a given program.
chiark-really (Source: chiark-utils) has "really" which can do this,
but of course it's not in Debian base and being set-id for its other
purpose it's probably not suitable.
OTOH the code is trivial and the behaviour is I think exactly as
desired.
Ian.
Information forwarded
to
bug-coreutils <at> gnu.org
:
bug#8700
; Package
coreutils
.
(Mon, 20 Aug 2012 09:25:01 GMT)
Full text and
rfc822 format available.
Message #17 received at 8700 <at> debbugs.gnu.org (full text, mbox):
On 05/24/2012 02:50 PM, Pádraig Brady wrote:
> Note Fedora and Suse use su from coreutils
> while debian use their own:
> http://pkg-shadow.alioth.debian.org/
>
> Note also Fedora has `runuser` which is based on su:
> http://pkgs.fedoraproject.org/gitweb/?p=coreutils.git;a=blob;f=coreutils-8.7-runuser.patch;hb=HEAD
>
> There was also a very related request for
> `runuser` like functionality to be generally available:
> http://bugs.gnu.org/8700
>
> It's probably worth bringing runuser with su,
> no matter where they end up.
So with su being removed in favor of the util-linux implementation,
`runuser` is being implemented there too.
I.E. it will be available outside of redhat/fedora/centos/...
in util-linux >= 2.22, and so should address http://bugs.gnu.org/8700
Note from previous comments in this thread,
it seems like allowing runser to be built (as an option?)
without requiring PAM, would be useful.
For reference, here are utils with similar functionality:
chid,really
Mentioned in feature request from debian
http://bugs.gnu.org/8700
chroot --userspec=U:G --groups=G1,G2,G3 /
since coreutils v7.4-16-gc45c51f
beware of CVE-2005-4890
setuidgid
coreutils internal only
http://git.sv.gnu.org/gitweb/?p=coreutils.git;a=blob;f=src/setuidgid.c;hb=HEAD
sg from pwdutils
http://pubs.opengroup.org/onlinepubs/9699919799/utilities/newgrp.html
sudo -u -g
runas from titantools
cheers,
Pádraig.
Information forwarded
to
bug-coreutils <at> gnu.org
:
bug#8700
; Package
coreutils
.
(Mon, 20 Aug 2012 18:43:02 GMT)
Full text and
rfc822 format available.
Message #20 received at 8700 <at> debbugs.gnu.org (full text, mbox):
On Mon, Aug 20, 2012 at 10:24:05AM +0100, Pádraig Brady wrote:
> On 05/24/2012 02:50 PM, Pádraig Brady wrote:
> > Note Fedora and Suse use su from coreutils
> > while debian use their own:
> > http://pkg-shadow.alioth.debian.org/
> >
> > Note also Fedora has `runuser` which is based on su:
> > http://pkgs.fedoraproject.org/gitweb/?p=coreutils.git;a=blob;f=coreutils-8.7-runuser.patch;hb=HEAD
> >
> > There was also a very related request for
> > `runuser` like functionality to be generally available:
> > http://bugs.gnu.org/8700
> >
> > It's probably worth bringing runuser with su,
> > no matter where they end up.
>
> So with su being removed in favor of the util-linux implementation,
> `runuser` is being implemented there too.
> I.E. it will be available outside of redhat/fedora/centos/...
> in util-linux >= 2.22, and so should address http://bugs.gnu.org/8700
My plan is to merge Fedora runuser patch (it means add -g -G options
to su(1)) after 2.22. It's too late for 2.22 (as we have -rc2 now).
The patch will be available ASAP after 2.22 release in the util-linux
upstream tree and maybe will be in 2.22.1 too.
> Note from previous comments in this thread,
> it seems like allowing runser to be built (as an option?)
> without requiring PAM, would be useful.
>
> For reference, here are utils with similar functionality:
Thanks for the references!
Karel
--
Karel Zak <kzak <at> redhat.com>
http://karelzak.blogspot.com
Added tag(s) wontfix.
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org
.
(Thu, 11 Oct 2018 22:35:02 GMT)
Full text and
rfc822 format available.
bug closed, send any further explanations to
8700 <at> debbugs.gnu.org and Colin Watson <cjwatson <at> debian.org>
Request was from
Assaf Gordon <assafgordon <at> gmail.com>
to
control <at> debbugs.gnu.org
.
(Thu, 11 Oct 2018 22:35:03 GMT)
Full text and
rfc822 format available.
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org
.
(Fri, 09 Nov 2018 12:24:04 GMT)
Full text and
rfc822 format available.
This bug report was last modified 5 years and 168 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.