Mailinglist Archive: opensuse (3574 mails)
| < Previous | Next > |
Re: [opensuse] su problem/question
- From: Randall R Schulz <rschulz@xxxxxxxxx>
- Date: Tue, 26 Feb 2008 15:39:26 -0800
- Message-id: <200802261539.26219.rschulz@xxxxxxxxx>
On Tuesday 26 February 2008 14:54, Markus Moeller wrote:
It's a known behavior, but by no means a bug!
The only way you're going to make this work is by acquiring access
(opening a file, e.g.) and by then passing that descriptor across the
ID change back to the restricted UID.
This is possible when writing in C (and many other languages, including
scripting languages). Doing it from the shell is at best a trickier
proposition. In particular, while the shell allows much more than the
usual ">", "<", "|" operators for, I see no indication (in the man or
info page) that su will participate in such machinations. It may simply
allow all non-standard descriptors (those other than 0, 1 and 2) to
persist after the UID change and the new process is executed, it may,
as a security measure, close all but those descriptors.
You'll have to experiment.
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
When I su from root to another id I can not anymore list links in
/proc/'pid'/ of the original process. This creates a problem when
for example running perl as root and switching id (using $>) after
which in some circumstances perl tries to start /proc/self/exe which
is a link to /usr/bin/perl and fails.
Is this a known bug ?
It's a known behavior, but by no means a bug!
The only way you're going to make this work is by acquiring access
(opening a file, e.g.) and by then passing that descriptor across the
ID change back to the restricted UID.
This is possible when writing in C (and many other languages, including
scripting languages). Doing it from the shell is at best a trickier
proposition. In particular, while the shell allows much more than the
usual ">", "<", "|" operators for, I see no indication (in the man or
info page) that su will participate in such machinations. It may simply
allow all non-standard descriptors (those other than 0, 1 and 2) to
persist after the UID change and the new process is executed, it may,
as a security measure, close all but those descriptors.
You'll have to experiment.
Thank you
Markus
Randall Schulz
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx
| < Previous | Next > |