Saturday, October 20, 2018

Re: Unable to do "su -m" in OpenBSD 6.4

Probably not.

> OK, thank you.
>
> I'd like to know if a syspatch is expected with this fix, or I have to
> compile "su" by myself from sources.
>
> Thanks.
>
>
> On 10/20/18 6:47 PM, Theo de Raadt wrote:
> > You've found an unveil bug in su. It needs to allow read access to
> > /etc/shells also, for this specific !altshell + asme + ruid case.
> >
> > Index: su.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/su/su.c,v
> > retrieving revision 1.71
> > diff -u -p -u -r1.71 su.c
> > --- su.c 23 Aug 2018 16:52:13 -0000 1.71
> > +++ su.c 20 Oct 2018 16:47:19 -0000
> > @@ -164,6 +164,8 @@ main(int argc, char **argv)
> > err(1, "unveil");
> > if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
> > err(1, "unveil");
> > + if (unveil(_PATH_SHELLS, "r") == -1)
> > + err(1, "unveil");
> > for (;;) {
> > /* get target user, default to root unless in -L mode */
> >
> >
> >
> >> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
> >>
> >> Up to 6.3 I was able to simply execute "su -m" to become superuser
> >> while keeping all my enviroment. Now under 6.4 I'm no longer able to
> >> do it:
> >>
> >> casa:/home/giannici> su -m
> >> Password:
> >> su: permission denied (shell).
> >>
> >>
> >> In the man page of su I see "As a security precaution, if the target
> >> user's shell is a non-standard shell (as defined by getusershell(3))
> >> and the caller's real UID is non-zero, su will fail.".
> >>
> >> But here is the output of "/etc/shells":
> >>
> >> casa:/home/giannici> cat /etc/shells
> >> # $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
> >> #
> >> # list of acceptable shells for chpass(1).
> >> # ftpd(8) will not allow users to connect who are not using
> >> # one of these shells, unless the user is listed in /etc/ftpchroot.
> >> /bin/sh
> >> /bin/csh
> >> /bin/ksh
> >> /usr/local/bin/bash
> >> /usr/local/bin/tcsh
> >>
> >> And here is the first line of vipw:
> >>
> >> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
> >> &:/root:/bin/ksh
> >>
> >>
> >> Why I can do "su" but I cannot do "su -m" anymore?
> >>
> >> Thanks.
> >>
> >
>
>
> --
> ___________________________________________________
> __
> |- giannici@neomedia.it
> |ederico Giannici http://www.neomedia.it
>
> Presidente del CDA - Neomedia S.r.l.
> ___________________________________________________

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)