Re: mandb wrapper scripts
On Tue, Feb 08, 2000 at 11:25:45AM +0100, Petr Cech wrote:
> On Tue, Feb 08, 2000 at 12:14:01PM +0200 , Fabrizio Polacco wrote:
> > #!/bin/sh -e
> > pgm=`basename $0`
> > edir=/usr/lib/man-db
> > cmd="${edir}/${pgm} ${1+$@}"
> > usrsw=" -s /bin/sh nobody"
> > su -s /bin/true 2>/dev/null || usrsw=" man"
> > test -w /root && exec su ${usrsw} -c ${1+"$cmd"}
> ^^^^^^^^^^^^^
> this is evil.
Another reason to forget that mail.
I also simply cut and paste it forgetting I already got
[ `id -u` = 0 ] && exec...
The other two issues still open are:
* Not all the ports has su -s working.
* local sysadm can disable shell of user nobody.
# After executing
[ `id -u` = 0 ] || exec ${cmd}
# we are sure we are root.
# Now we can test for nobody's shell:
su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
# At this point we know that nobody has no shell.
# we need su -s but we have to test it before.
su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
# everything failed: no shell and no su -s ... use less-secure user man.
exec su man -c ${1+"$cmd"}
The script:
#!/bin/sh -e
pgm=`basename $0`
edir=/usr/lib/man-db
cmd="${edir}/${pgm} ${1+$@}"
[ `id -u` = 0 ] || exec ${cmd}
su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
exec su man -c ${1+"$cmd"}
a quick test before hitting y
...
works!
fab
--
| fab@pukki.ntc.nokia.com fpolacco@prosa.it fpolacco@debian.org
| 6F7267F5 fingerprint 57 16 C4 ED C9 86 40 7B 1A 69 A1 66 EC FB D2 5E
| fabrizio.polacco@nokia.com gsm: +358 (0)40 707 2468
Reply to: