Thank you, Dan, Ben, and Frank. I see that I have left out some
important information:
user2 is specified as a non-login class of user in /etc/login.conf,
auth=reject: shell=/sbin/nologin, and has a default shell of
/sbin/nologin in /etc/passwd .
On Tue, Sep 22, 2015 at 5:41 PM, Joel Rees <joel.r...@gmail.com> wrote:
> I have this rule in doas.conf:
>
> permit nopass user1 as user2
>
> As user1, I try this at the command line:
>
> doas -u user2 whoami
>
> and it tells me I am user2, as I expect. And
>
> doas -u user2 ls
>
> tells me I don't have permission. I kind of expect this.
>
> I'm looking for a way to do the equivalent of
>
> sudo -u user2 -s "cd; ls"
>
> I don't see a way to do this with doas, at least not without a short
> intermediary script, which script is not going to be able to do cd ~/.
>
> Should I assume that doas is not intended to do this sort of thing?
With this intermediary script:
#! /bin/sh
export USER=user2
. /etc/ksh.kshrc
printenv
ls
I get
MAIL=/var/mail/user1
LOGNAME=user1
HOME=/home/classU/user1
PATH=/home/classU/user1/bin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/X11R6/bin:/usr/local/bin:/usr/local/sbin:/usr/games:.
DISPLAY=:0.0
TERM=xterm
USER=user2
ls: .: Permission denied
Which, I guess, does surprise me.
> (And therefore [I should] do things "right" by setting up ssh with public-key
> authentication to do the user switch?)
Which would also require enabling login for user2. (I tried this
without thinking yesterday.)
> (Or go all out and set up chroot to run an instance of X11 and firefox? ;-/
> )
Would this also require enabling login?
--
Joel Rees
Be careful when you look at conspiracy.
Arm yourself with knowledge of yourself, as well:
http://reiisi.blogspot.jp/2011/10/conspiracy-theories.html
