Re: su to alias on RH

[Chris K. Young]

Quoted from Mate Wierdl:
> We are talking about setting up ezmlm  mailinglists under ~alias.  

On the system I run, alias has shell /bin/false. I get into the alias
account using a setuid program called listmanage, a program I wrote
specifically for the purpose of managing lists under the alias user.

I'm not well-versed in programming setuid programs securely, so don't
make it publically executable (unless all your users are trustable, or
you're prepared to audit the program and fix security bugs you find).

If you want a copy, have cvs and ssh installed, then put the following
lines in your ~/.ssh/config:

Host cvs.m.org.nz
Hostname janus.industrial.co.nz
Port 600

and run:

CVS_RSH=ssh cvs -d [EMAIL PROTECTED] co chris/listmanage

---Chris K.
-- 
 Chris, the Young One |_ but what's a dropped message between friends? 
  Auckland, New Zealand |_ this is UDP, not TCP after all ;) ---John H. 
http://cloud9.hedgee.com/ |_ Robinson, IV  

Re: su to alias on RH

[Ricardo Cerqueira]

On Fri, Sep 15, 2000 at 04:36:39PM -0700, Russ Allbery wrote:
> Mate Wierdl <[EMAIL PROTECTED]> writes:
> 
> > I do not understand this comment at all. Under RH 5.2, after doing 
> 
> > su - alias
> 
> > the output of whoami was `alias'.  Now it is still root.  Why do I
> > need a valid shell to be able to do this?
> 
> I don't know if Red Hat is weird, but under most operating systems if you
> su to a user, you get that user's shell.  If you set the shell to
> /bin/true, it will then immediately exit, leaving you back as root again.

AFAIK, RH always had the proper behaviour with su (ie, running that user's
shell). I still have a couple of live RH 5.2 boxen, and they both respect
that. (wether the shell is in /etc/shells or not).

RC

-- 
+---
| Ricardo Cerqueira  
| PGP Key fingerprint  -  B7 05 13 CE 48 0A BF 1E  87 21 83 DB 28 DE 03 42 
| Novis  -  Engenharia ISP / Rede Técnica 
| Pç. Duque Saldanha, 1, 7º E / 1050-094 Lisboa / Portugal
| Tel: +351 2 1010  - Fax: +351 2 1010 4459

 PGP signature

Re: su to alias on RH

[Russ Allbery]

Mate Wierdl <[EMAIL PROTECTED]> writes:

> I do not understand this comment at all. Under RH 5.2, after doing 

> su - alias

> the output of whoami was `alias'.  Now it is still root.  Why do I
> need a valid shell to be able to do this?

I don't know if Red Hat is weird, but under most operating systems if you
su to a user, you get that user's shell.  If you set the shell to
/bin/true, it will then immediately exit, leaving you back as root again.

-- 
Russ Allbery ([EMAIL PROTECTED]) 

Re: su to alias on RH

[Mate Wierdl]

On Fri, Sep 15, 2000 at 02:04:50PM -0700, Phil Blecker wrote:
> On Fri, Sep 15, 2000 at 03:58:15PM -0500, Mate Wierdl wrote:
> > alias:x:104:502::/var/qmail/alias:/bin/true
> ^
> That is the name of the shell program to run for alias. But, its not a
> shell. 

So?

$ grep alias: /var/qmail/doc/INSTALL.ids
alias:*:7790:2108::/var/qmail/alias:/bin/true

> Its a program that returns 0 and then exits. Change it to /bin/sh if
> you really want to do that, or enter "su alias" instead of "su -
> alias".

I do not understand this comment at all. Under RH 5.2, after doing 

su - alias

the output of whoami was `alias'.  Now it is still root.  Why do I
need a valid shell to be able to do this?
 
> I'm not going to ask why you want to do that, though, because it doesn't
> make sense to me.

We are talking about setting up ezmlm  mailinglists under ~alias.  

Mate

su to alias on RH

[Mate Wierdl]

We have been telling people to do

su - alias

before setting up a list under ~alias.  But under RH 6.1-2, you cannot
do this anymore unless you specify a "real" shell for alias.  So the
usual entry

alias:x:104:502::/var/qmail/alias:/bin/true

will not work anymore.  What is the reason?  Could it be because of a
change in the pam conf file for su?  I have

# cat /etc/pam.d/su
#%PAM-1.0
auth   required /lib/security/pam_pwdb.so shadow nullok
accountrequired /lib/security/pam_pwdb.so
password   required /lib/security/pam_cracklib.so
password   required /lib/security/pam_pwdb.so shadow use_authtok nullok
sessionrequired /lib/security/pam_pwdb.so
sessionoptional /lib/security/pam_xauth.so

Mate