Subject: Re: bin/32307
To: None <gnats-admin@netbsd.org, netbsd-bugs@netbsd.org, jmiller@shaw.ca>
From: Hubert Feyrer <feyrer@cs.stevens.edu>
List: netbsd-bugs
Date: 12/15/2005 07:40:01
The following reply was made to PR bin/32307; it has been noted by GNATS.
From: Hubert Feyrer <feyrer@cs.stevens.edu>
To: gnats-bugs@NetBSD.org
Cc: Hubert Feyrer <hubert@feyrer.de>
Subject: Re: bin/32307
Date: Thu, 15 Dec 2005 08:37:38 +0100 (CET)
Here is an updated patch that fixes two bugs in NetBSD 3.0_RC6:
1) su(1) is not compiled with support for login classes, at least the
-c switch is not enabled. Either the switch should be enabled by
compiling with -DLOGIN_CAP, or the manpage should be fixed!
Try running: su -c whatever root
2) when su'ing from root to a "normal" user, the umask is not handled
properly.
In NetBSD 2.0, this was:
# umask ; su -l user -c umask
77
0022
# umask ; su user -c umask
77
0077
In NetBSD 3.0 (without this patch), this is:
# umask ; su -l user -c umask
77
====> 0077
# umask ; su user -c umask
77
0077
See also NetBSD PR bin/32307 by Jason V. Miller <jmiller@shaw.ca>.
The patch against su_pam.c is by him, the regression code is by me.
Log of 'make hf-regress' with this patch is appended under the patch
below.
Thanks a lot for Jason Miller for helping to debug this, and pointing it
out in the first place!
- Hubert
Index: Makefile
===================================================================
RCS file: /cvsroot/src/usr.bin/su/Makefile,v
retrieving revision 1.42
diff -u -r1.42 Makefile
--- Makefile 4 Mar 2005 20:41:09 -0000 1.42
+++ Makefile 15 Dec 2005 07:24:41 -0000
@@ -19,8 +19,6 @@
SRCS=su.c
-CPPFLAGS+=-DLOGIN_CAP
-
DPADD+= ${LIBCRYPT} ${LIBUTIL}
LDADD+= -lcrypt -lutil
@@ -64,6 +62,37 @@
CPPFLAGS+=-DSU_ROOTAUTH=\"${SU_ROOTAUTH}\"
.endif
-.endif
+.endif # USE_PAM!=no
+
+CPPFLAGS+=-DLOGIN_CAP
.include <bsd.prog.mk>
+
+
+
+
+
+
+TESTCLASS= hftest
+hf-regress:
+ if ! egrep '^${TESTCLASS}(\|.*):' /etc/login.conf 2>&1 >/dev/null ; then \
+ echo "Need a login class '${TESTCLASS}' in /etc/login.conf" ; \
+ exit 1 ; \
+ fi
+ su root -c 'cd ${.CURDIR} ; umask 077 ; make su-regress'
+
+su-regress:
+ chown root ${.CURDIR}/obj/su
+ chmod 4755 ${.CURDIR}/obj/su
+ :
+ # Testcase #1: should be 0077 / 022:
+ umask ; ${.CURDIR}/obj/su -l ${USER} -c umask
+ :
+ # Testcase #2: should be 0077 / 077:
+ umask ; ${.CURDIR}/obj/su ${USER} -c umask
+ :
+ # Testcase #3: should be 0077 / 022:
+ umask ; ${.CURDIR}/obj/su -l -c hftest ${USER} -c umask
+ :
+ # Testcase #4: should be 0077 / 077:
+ umask ; ${.CURDIR}/obj/su -c hftest ${USER} -c umask
Index: su_pam.c
===================================================================
RCS file: /cvsroot/src/usr.bin/su/su_pam.c,v
retrieving revision 1.10
diff -u -r1.10 su_pam.c
--- su_pam.c 5 Jul 2005 20:15:13 -0000 1.10
+++ su_pam.c 15 Dec 2005 07:24:41 -0000
@@ -500,6 +500,12 @@
LOGIN_SETLOGIN|LOGIN_SETPATH|LOGIN_SETGROUP);
/*
+ * Reset umask if we were called with -d or -l
+ */
+ if (asthem)
+ setwhat |= LOGIN_SETUMASK;
+
+ /*
* Don't touch resource/priority settings if -m has been used
* or -l and -c hasn't, and we're not su'ing to root.
*/
Regression log:
$ make hf-regress
if ! egrep '^hftest(\|.*):' /etc/login.conf 2>&1 >/dev/null ; then echo "Need a login class 'hftest' in /etc/login.conf" ; exit 1 ; fi
su root -c 'cd /home/feyrer/su ; umask 077 ; make su-regress'
Password:
chown root /home/feyrer/su/obj/su
chmod 4755 /home/feyrer/su/obj/su
:
# Testcase #1: should be 0077 / 022:
umask ; /home/feyrer/su/obj/su -l feyrer -c umask
0077
022
:
# Testcase #2: should be 0077 / 077:
umask ; /home/feyrer/su/obj/su feyrer -c umask
0077
077
:
# Testcase #3: should be 0077 / 022:
umask ; /home/feyrer/su/obj/su -l -c hftest feyrer -c umask
0077
022
:
# Testcase #4: should be 0077 / 077:
umask ; /home/feyrer/su/obj/su -c hftest feyrer -c umask
0077
077
$
$
$ cat /etc/login.conf
default|mandatory:\
:priority=0:
hftest|test fuer su:\
:priority=2:
$ uname -a
NetBSD 3.0_RC6 NetBSD 3.0_RC6 (GENERIC) #0: Fri Dec 9 09:39:00 UTC 2005 riz@faith.netbsd.org:/home/builds/ab/netbsd-3-0-RC6/i386/200512090458Z-obj/home/builds/ab/netbsd-3-0-RC6/src/sys/arch/i386/compile/GENERIC i386
$