GNU bug report logs - #8700
Simple way to switch user/group permissions without requiring PAM sessions

Previous Next

Package: coreutils;

Reported by: Colin Watson <cjwatson <at> debian.org>

Date: Thu, 19 May 2011 13:14:03 UTC

Severity: normal

Tags: wontfix

Done: Assaf Gordon <assafgordon <at> gmail.com>

Bug is archived. No further changes may be made.

Full log

View this message in rfc822 format

From: Colin Watson <cjwatson <at> debian.org>
To: 8700 <at> debbugs.gnu.org
Cc: Ian Jackson <ijackson <at> chiark.greenend.org.uk>
Subject: bug#8700: Simple way to switch user/group permissions without requiring PAM sessions
Date: Thu, 19 May 2011 14:13:39 +0100

Every so often I wish that there existed (preferably in the Debian base
system) a tool analogous to chroot that drops privileges from root to a
nominated user, group, etc. and runs a given program.

Of course I do know about su, sudo, etc., but:

 * su and sudo are often configured to start a PAM session with noisy
   logging etc.;

 * su has a messy historical command-line syntax that requires fiddly
   quoting;

 * sudo isn't installed everywhere;

 * these programs all have lots of authentication baggage, which is
   thoroughly overkill when I'm writing shell scripts that run as root
   and just want to quickly run a program as some other user.

One example of when I want to use this is in Debian's
/etc/cron.daily/man-db script.  Towards the end of this, I want to run
the mandb program as the 'man' user.  I ended up using Debian's
start-stop-daemon, which happens to be able to run something in the
foreground as a different user; but mandb is not a daemon,
start-stop-daemon isn't universal, and so this all feels like a hack.

In other similar situations I've ended up with a couple of lines of
Perl, something like:

    perl -e '@pwd = getpwnam("man"); $( = $) = $pwd[3]; $< = $> = $pwd[2];
             exec "/usr/bin/mandb", @ARGV' -- "$@"

Again, though: punctuation-heavy, not trivial to get exactly right,
delicate quoting, and so on.

It seems to me that we could use something which can do ID switches away
from root without all the authentication stuff, and could be simple
enough to go in coreutils and ultimately end up on all GNUish systems.
When I complained about the lack of this on a local IRC channel, Ian
Jackson (CCed) pointed out that his 'really' tool is pretty close to
this; it does have some very simple authentication code, but that's easy
to strip out, and the rest is almost identical to what I'd want to see
in such a tool.  He did say that he'd prefer it not to be called
'really' if it's not installed setuid; I suggest 'chid' by analogy with
chroot, chcon, etc.

The source for 'really' is here (and though while I can't speak for him
I suspect Ian would be happy to do FSF assignment and such, since he's
already a GNU maintainer):

  http://www.chiark.greenend.org.uk/ucgi/~ian/git?p=chiark-utils.git;a=tree;f=cprogs

Another piece of prior art is the 'runas' tool in titantools.  However,
this is under a non-free licence and its command line interface is not
all that great IMO, so it's probably only useful to know about it to
avoid using the same (tempting) name.

Thanks,

-- 
Colin Watson                                       [cjwatson <at> debian.org]
This bug report was last modified 6 years and 228 days ago.

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.