| View previous topic :: View next topic |
| Author |
Message |
dfelicia
Apprentice
Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut
|
 Posted: Mon Oct 02, 2006 4:54 pm Post subject: su -m not allowed for /usr/sbin/nologin? [SOLVED] |
 |
|
On other Linux distro's, this works for restricted users (user with /usr/sbin/nlogin shell):
| Code: |
su -m apache -c "echo test"
|
Where apache is the ID of a a restricted user.
Gentoo doesn't allow it. How and why? I'll assume the why is for security reasons, but how? PAM?
Last edited by dfelicia on Tue Oct 03, 2006 12:03 pm; edited 1 time in total |
|
| Back to top |
|
 |
GetCool
Guru
Joined: 23 Nov 2003
Posts: 324
Location: Madison, Wisconsin
|
| Posted: Mon Oct 02, 2006 5:08 pm Post subject: |
|
|
| Do you get any output, either at the console or in your logs? |
|
| Back to top |
|
|
dfelicia
Apprentice
Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut
|
| Posted: Mon Oct 02, 2006 5:15 pm Post subject: |
|
|
Yes.
| Code: |
# su -m apache -c "echo test"
This account is currently not available.
|
|
|
| Back to top |
|
|
GetCool
Guru
Joined: 23 Nov 2003
Posts: 324
Location: Madison, Wisconsin
|
| Posted: Mon Oct 02, 2006 5:38 pm Post subject: |
|
|
| dfelicia wrote: |
| Code: |
# su -m apache -c "echo test"
This account is currently not available.
|
|
Well, I know this message appears when the account's shell isn't a valid shell. According to the man page for su:
| man su wrote: |
-m, -p, --preserve-environment
Preserve the current environment.
If the target user has a restricted shell, this option has no
effect (unless su is called by root). |
Edit: Although rereading your post it looks like you are running this command as root? |
|
| Back to top |
|
|
dfelicia
Apprentice
Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut
|
| Posted: Mon Oct 02, 2006 5:42 pm Post subject: |
|
|
| Quote: |
(unless su is called by root)
|
In my case su is called by root. I expect that -m will cause su to NOT process the user's login shell, as on other Linux/UNIX. On Gentoo, however, it does, as the /sbin/nologin output demonstrates.
So am I hitting a feature that I don't understand, or a bug? |
|
| Back to top |
|
|
GetCool
Guru
Joined: 23 Nov 2003
Posts: 324
Location: Madison, Wisconsin
|
| Posted: Mon Oct 02, 2006 6:39 pm Post subject: |
|
|
| dfelicia wrote: | | So am I hitting a feature that I don't understand, or a bug? |
It's probably a PAM thing. Could it be this line in /etc/pam.d/login?
| Code: | | auth required pam_nologin.so |
I don't really know much about PAM modules, so if you want to reconfigure PAM, I can't really be of any help. |
|
| Back to top |
|
|
dfelicia
Apprentice
Joined: 11 May 2005
Posts: 281
Location: Southwestern Connecticut
|
| Posted: Tue Oct 03, 2006 12:03 pm Post subject: |
|
|
I entered a bug for this behavior, and it was marked invalid with this explanation:
| Quote: |
------- Comment #1 from vapier@gentoo.org 2006-10-02 21:59 PST -------
-m has nothing to do with it
the -c option will always use the SHELL of the specified user ... the user here
is apache and the default shell is /bin/false, so `su apache -c "..."` will
execute `/bin/false ...`
you need to use the -s option to specify a different shell than the default
|
As advertised, -s does the trick:
| Code: |
su -s /bin/bash -m apache -c "echo foo"
foo
|
|
|
| Back to top |
|
|
|
Networking & Security
