Saturday, October 20, 2018

Re: Unable to do "su -m" in OpenBSD 6.4

OK, thank you.

I'd like to know if a syspatch is expected with this fix, or I have to
compile "su" by myself from sources.

Thanks.


On 10/20/18 6:47 PM, Theo de Raadt wrote:
> You've found an unveil bug in su. It needs to allow read access to
> /etc/shells also, for this specific !altshell + asme + ruid case.
>
> Index: su.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/su/su.c,v
> retrieving revision 1.71
> diff -u -p -u -r1.71 su.c
> --- su.c 23 Aug 2018 16:52:13 -0000 1.71
> +++ su.c 20 Oct 2018 16:47:19 -0000
> @@ -164,6 +164,8 @@ main(int argc, char **argv)
> err(1, "unveil");
> if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
> err(1, "unveil");
> + if (unveil(_PATH_SHELLS, "r") == -1)
> + err(1, "unveil");
>
> for (;;) {
> /* get target user, default to root unless in -L mode */
>
>
>
>> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
>>
>> Up to 6.3 I was able to simply execute "su -m" to become superuser
>> while keeping all my enviroment. Now under 6.4 I'm no longer able to
>> do it:
>>
>> casa:/home/giannici> su -m
>> Password:
>> su: permission denied (shell).
>>
>>
>> In the man page of su I see "As a security precaution, if the target
>> user's shell is a non-standard shell (as defined by getusershell(3))
>> and the caller's real UID is non-zero, su will fail.".
>>
>> But here is the output of "/etc/shells":
>>
>> casa:/home/giannici> cat /etc/shells
>> # $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
>> #
>> # list of acceptable shells for chpass(1).
>> # ftpd(8) will not allow users to connect who are not using
>> # one of these shells, unless the user is listed in /etc/ftpchroot.
>> /bin/sh
>> /bin/csh
>> /bin/ksh
>> /usr/local/bin/bash
>> /usr/local/bin/tcsh
>>
>> And here is the first line of vipw:
>>
>> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
>> &:/root:/bin/ksh
>>
>>
>> Why I can do "su" but I cannot do "su -m" anymore?
>>
>> Thanks.
>>
>


--
___________________________________________________
__
|- giannici@neomedia.it
|ederico Giannici http://www.neomedia.it

Presidente del CDA - Neomedia S.r.l.
___________________________________________________

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)