BTW, the unveil changes were commited roughly 2 months. We rely on our
userbase to work along with us, testing our work, that is why -current
is always available. Not accusing anyone specific of having missed the
regression, regressions will happen and test suites are hard to write
(especially in an area like this). If we didn't have help from people
using -current fully, work such as unveil would happen much slower ---
if it happened at all (it is easy to get demoralized working on an
innovative project if it takes 4 years instead of 2 years, which is what
unveil took, actually unveil is the derivative of work started as
"pledgepaths" so it is closer to ~4 years already, imagine adding
another 2 due to slowness). Sufficient use to discover this regression
didn't happen. Oh well. As intended by the design it fails closed,
therefore we can shrug it off and carry on.
> OK, thank you.
>
> I'd like to know if a syspatch is expected with this fix, or I have to
> compile "su" by myself from sources.
>
> Thanks.
>
>
> On 10/20/18 6:47 PM, Theo de Raadt wrote:
> > You've found an unveil bug in su. It needs to allow read access to
> > /etc/shells also, for this specific !altshell + asme + ruid case.
> >
> > Index: su.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/su/su.c,v
> > retrieving revision 1.71
> > diff -u -p -u -r1.71 su.c
> > --- su.c 23 Aug 2018 16:52:13 -0000 1.71
> > +++ su.c 20 Oct 2018 16:47:19 -0000
> > @@ -164,6 +164,8 @@ main(int argc, char **argv)
> > err(1, "unveil");
> > if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
> > err(1, "unveil");
> > + if (unveil(_PATH_SHELLS, "r") == -1)
> > + err(1, "unveil");
> > for (;;) {
> > /* get target user, default to root unless in -L mode */
> >
> >
> >
> >> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
> >>
> >> Up to 6.3 I was able to simply execute "su -m" to become superuser
> >> while keeping all my enviroment. Now under 6.4 I'm no longer able to
> >> do it:
> >>
> >> casa:/home/giannici> su -m
> >> Password:
> >> su: permission denied (shell).
> >>
> >>
> >> In the man page of su I see "As a security precaution, if the target
> >> user's shell is a non-standard shell (as defined by getusershell(3))
> >> and the caller's real UID is non-zero, su will fail.".
> >>
> >> But here is the output of "/etc/shells":
> >>
> >> casa:/home/giannici> cat /etc/shells
> >> # $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
> >> #
> >> # list of acceptable shells for chpass(1).
> >> # ftpd(8) will not allow users to connect who are not using
> >> # one of these shells, unless the user is listed in /etc/ftpchroot.
> >> /bin/sh
> >> /bin/csh
> >> /bin/ksh
> >> /usr/local/bin/bash
> >> /usr/local/bin/tcsh
> >>
> >> And here is the first line of vipw:
> >>
> >> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
> >> &:/root:/bin/ksh
> >>
> >>
> >> Why I can do "su" but I cannot do "su -m" anymore?
> >>
> >> Thanks.
> >>
> >
>
>
> --
> ___________________________________________________
> __
> |- giannici@neomedia.it
> |ederico Giannici http://www.neomedia.it
>
> Presidente del CDA - Neomedia S.r.l.
> ___________________________________________________
>
No comments:
Post a Comment