[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Unexpected permission denied

On Thu, Jan 26, 2023 at 10:26:34AM +0700, Max Nikulin wrote:
> Greg, I agree with your warnings. Just out of curiosity, is there a reason
> why the following variant may still be unsafe?
> 
> runas() { local who=$1; shift; su --login "$who" --shell=/bin/bash
> --command='"$0" "$@"' -- "$@"; }

1) http://jdebp.info/FGA/dont-abuse-su-for-dropping-privileges.html

2) --login is a TERRIBLE option.  It's the same as "su -" which is just
   as terrible (portably terrible).  It causes your command to be preceded
   by the reading of some user's dot file.  Why would you ever want that?
   You have no idea what will happen.  You have no idea what's in that file.

   I call this "Oracle poisoning" because it seems to be a favorite of
   Oracle database users.  Their documentation is full of this crap.
   Apparently their software doesn't work properly unless you set a bunch
   of environment variables, and they somehow came to the idea that the
   best place to set those environment variables was in some user's
   shell's dot files, and to have those files be read in by mission-
   critical scripts like the ones that start the database at boot time.

   Horrifying.

3) --command='"$0" "$@"' is ... very unintuitive, even for an experienced
   shell user.  I think I see what you're doing there, but it took me
   several minutes and some experimentation to work it out.

   I'm not sure if this variant is any clearer:

   su "$who" -c '"$@"' -- x "$@"

   Both forms will definitely confuse a novice.  For those reading along,
   the first key is that the -- is being processed by su, not by the
   shell.  The shell ends up seeing one of these forms:

   bash -c '"$0" "$@"' my command here
   bash -c '"$@"' x my command here

   The second key is that the -c option is followed by a script, and
   then by that script's $0 (a placeholder), and then by that script's
   positional parameters (which end up in "$@").  Max is forcing the
   script to use the $0 placeholder as part of the command.  My variant
   is inserting an explicit placeholder in front of the command.

   As far as "safety" goes... I think this part passes muster.  Can't say
   I've ever seen su contortions like this before.  Most people would just
   use sudo or setpriv instead, unless the aim is portability, in which
   case you would be using su's portable options (-c) rather than the
   non-portable --long-options.

4) http://jdebp.info/FGA/dont-abuse-su-for-dropping-privileges.html

   Seriously.
Reply to: