Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
su -m not allowed for /usr/sbin/nologin? [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
dfelicia
Apprentice
Apprentice


Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut

PostPosted: Mon Oct 02, 2006 4:54 pm    Post subject: su -m not allowed for /usr/sbin/nologin? [SOLVED] Reply with quote

On other Linux distro's, this works for restricted users (user with /usr/sbin/nlogin shell):

Code:

su -m apache -c "echo test"


Where apache is the ID of a a restricted user.

Gentoo doesn't allow it. How and why? I'll assume the why is for security reasons, but how? PAM?


Last edited by dfelicia on Tue Oct 03, 2006 12:03 pm; edited 1 time in total
Back to top
View user's profile Send private message
GetCool
Guru
Guru


Joined: 23 Nov 2003
Posts: 324
Location: Madison, Wisconsin

PostPosted: Mon Oct 02, 2006 5:08 pm    Post subject: Reply with quote

Do you get any output, either at the console or in your logs?
Back to top
View user's profile Send private message
dfelicia
Apprentice
Apprentice


Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut

PostPosted: Mon Oct 02, 2006 5:15 pm    Post subject: Reply with quote

Yes.

Code:

# su -m apache -c "echo test"
This account is currently not available.
Back to top
View user's profile Send private message
GetCool
Guru
Guru


Joined: 23 Nov 2003
Posts: 324
Location: Madison, Wisconsin

PostPosted: Mon Oct 02, 2006 5:38 pm    Post subject: Reply with quote

dfelicia wrote:

Code:

# su -m apache -c "echo test"
This account is currently not available.


Well, I know this message appears when the account's shell isn't a valid shell. According to the man page for su:

man su wrote:

-m, -p, --preserve-environment
Preserve the current environment.

If the target user has a restricted shell, this option has no
effect (unless su is called by root).


Edit: Although rereading your post it looks like you are running this command as root?
Back to top
View user's profile Send private message
dfelicia
Apprentice
Apprentice


Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut

PostPosted: Mon Oct 02, 2006 5:42 pm    Post subject: Reply with quote

Quote:

(unless su is called by root)


In my case su is called by root. I expect that -m will cause su to NOT process the user's login shell, as on other Linux/UNIX. On Gentoo, however, it does, as the /sbin/nologin output demonstrates.

So am I hitting a feature that I don't understand, or a bug?
Back to top
View user's profile Send private message
GetCool
Guru
Guru


Joined: 23 Nov 2003
Posts: 324
Location: Madison, Wisconsin

PostPosted: Mon Oct 02, 2006 6:39 pm    Post subject: Reply with quote

dfelicia wrote:
So am I hitting a feature that I don't understand, or a bug?


It's probably a PAM thing. Could it be this line in /etc/pam.d/login?

Code:
auth       required     pam_nologin.so


I don't really know much about PAM modules, so if you want to reconfigure PAM, I can't really be of any help.
Back to top
View user's profile Send private message
dfelicia
Apprentice
Apprentice


Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut

PostPosted: Tue Oct 03, 2006 12:03 pm    Post subject: Reply with quote

I entered a bug for this behavior, and it was marked invalid with this explanation:

Quote:

------- Comment #1 from vapier@gentoo.org 2006-10-02 21:59 PST -------
-m has nothing to do with it

the -c option will always use the SHELL of the specified user ... the user here
is apache and the default shell is /bin/false, so `su apache -c "..."` will
execute `/bin/false ...`

you need to use the -s option to specify a different shell than the default


As advertised, -s does the trick:

Code:

su -s /bin/bash -m apache -c "echo foo"
foo
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum