Code: Select all
su -m apache -c "echo test"
Gentoo doesn't allow it. How and why? I'll assume the why is for security reasons, but how? PAM?
su -m not allowed for /usr/sbin/nologin? [SOLVED]
Message
su -m not allowed for /usr/sbin/nologin? [SOLVED]
On other Linux distro's, this works for restricted users (user with /usr/sbin/nlogin shell):
Where apache is the ID of a a restricted user.
Gentoo doesn't allow it. How and why? I'll assume the why is for security reasons, but how? PAM?
Gentoo doesn't allow it. How and why? I'll assume the why is for security reasons, but how? PAM?
Last edited by dfelicia on Tue Oct 03, 2006 12:03 pm, edited 1 time in total.
Yes.
Code: Select all
# su -m apache -c "echo test"
This account is currently not available.
Well, I know this message appears when the account's shell isn't a valid shell. According to the man page for su:dfelicia wrote:Code: Select all
# su -m apache -c "echo test" This account is currently not available.
Edit: Although rereading your post it looks like you are running this command as root?man su wrote: -m, -p, --preserve-environment
Preserve the current environment.
If the target user has a restricted shell, this option has no
effect (unless su is called by root).
It's probably a PAM thing. Could it be this line in /etc/pam.d/login?dfelicia wrote:So am I hitting a feature that I don't understand, or a bug?
Code: Select all
auth required pam_nologin.soI entered a bug for this behavior, and it was marked invalid with this explanation:
As advertised, -s does the trick:------- Comment #1 from vapier@gentoo.org 2006-10-02 21:59 PST -------
-m has nothing to do with it
the -c option will always use the SHELL of the specified user ... the user here
is apache and the default shell is /bin/false, so `su apache -c "..."` will
execute `/bin/false ...`
you need to use the -s option to specify a different shell than the default
Code: Select all
su -s /bin/bash -m apache -c "echo foo"
foo