The su manual doesn't mention use root account by default

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

The su manual doesn't mention use root account by default

Nan Xiao
Hi misc@,

Greeting from me!

I read su manual (https://man.openbsd.org/su.1), but can't find words
which said if no account is provided, root is the default. But for
doas(https://man.openbsd.org/doas.1), it has following words:

    -u userExecute the command as user. The default is root.

I am not a nitpicker, just curious whether I miss something? Thanks!

Best Regards
Nan Xiao

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Ingo Schwarze
Hello Nan Xiao,

Nan Xiao wrote on Wed, Jun 12, 2019 at 02:19:08PM +0800:

> I read su manual (https://man.openbsd.org/su.1), but can't find words
> which said if no account is provided, root is the default.

The BUGS section says so indirectly, but i agree that is not sufficient.
A manual page ought to explain the behaviour of a utility explicitly
and in the DESCRIPTION section.  All the more so for aspects as important
as the one you are talking about.

> But for
> doas(https://man.openbsd.org/doas.1), it has following words:
>
>     -u userExecute the command as user. The default is root.
>
> I am not a nitpicker, just curious whether I miss something? Thanks!

In OpenBSD, we do not regard it as nitpicking when people point out
bugs in manual pages.  We regard bugs in manual pages just as much as
bugs as bugs in code.  We insist that manual pages have to be correct,
complete, and concise.

Consequently, your report is very much appreciated and i committed
the bugfix shown below.

Thank you,
  Ingo


P.S.
The reason this particular bug was able to survive for so long appears
to be that su(1) has been obsolete as a tool for getting a root shell
for a very long time.  For that purpose, it is less secure than sudo(1)
used to be, and even sudo(1) was swapped out of OpenBSD because
something simpler like doas(1) is even more secure unless you really
need the additional functionality.  And even then, if possible,
getting your task done in a simpler way that doas(1) can handle may
provide a security benefit.

Even though su(1) can still be used today to relinquish privilege
when you are already root, no more development is done on it and people
rarely look at the manual page.  The last time new functionality was
added to the su(1) manual page was almost a decade ago, and the
last time before that 17 years ago.

Even though UNIX manual pages were always high quality documentation,
two decades ago, they weren't fully up to modern OpenBSD quality
standards yet.


CVSROOT: /cvs
Module name: src
Changes by: [hidden email] 2019/06/12 02:29:17

Modified files:
        usr.bin/su     : su.1

Log message:
when "login" is not specified, "root" is used;
omission reported by Nan Xiao <xiaonan830818 at gmail dot com> on misc@


Index: su.1
===================================================================
RCS file: /cvs/src/usr.bin/su/su.1,v
retrieving revision 1.31
retrieving revision 1.32
diff -u -r1.31 -r1.32
--- su.1 30 Jul 2015 08:03:49 -0000 1.31
+++ su.1 12 Jun 2019 08:29:17 -0000 1.32
@@ -49,6 +49,11 @@
 .Nm
 utility allows a user to run a shell with the user and group ID of another user
 without having to log out and in as that other user.
+If the target
+.Ar login
+name is not specified,
+.Dq root
+is used.
 .Pp
 By default, the environment is unmodified with the exception of
 .Ev LOGNAME ,

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Mihai Popescu-3
In reply to this post by Nan Xiao
> ... if no account is provided, root is the default

I always considered that su is coming from _s_uper _u_ser. But maybe I
am wrong, I am not from old UNIX days.

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Theo de Raadt-2
Mihai Popescu <[hidden email]> wrote:

> > ... if no account is provided, root is the default
>
> I always considered that su is coming from _s_uper _u_ser. But maybe I
> am wrong, I am not from old UNIX days.

incorrect.

NAME
     su - substitute user identity

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Nan Xiao
In reply to this post by Ingo Schwarze
Hi Ingo,

Thanks for your detailed explanation!

Best Regards
Nan Xiao

On Wed, Jun 12, 2019 at 4:55 PM Ingo Schwarze <[hidden email]> wrote:

>
> Hello Nan Xiao,
>
> Nan Xiao wrote on Wed, Jun 12, 2019 at 02:19:08PM +0800:
>
> > I read su manual (https://man.openbsd.org/su.1), but can't find words
> > which said if no account is provided, root is the default.
>
> The BUGS section says so indirectly, but i agree that is not sufficient.
> A manual page ought to explain the behaviour of a utility explicitly
> and in the DESCRIPTION section.  All the more so for aspects as important
> as the one you are talking about.
>
> > But for
> > doas(https://man.openbsd.org/doas.1), it has following words:
> >
> >     -u userExecute the command as user. The default is root.
> >
> > I am not a nitpicker, just curious whether I miss something? Thanks!
>
> In OpenBSD, we do not regard it as nitpicking when people point out
> bugs in manual pages.  We regard bugs in manual pages just as much as
> bugs as bugs in code.  We insist that manual pages have to be correct,
> complete, and concise.
>
> Consequently, your report is very much appreciated and i committed
> the bugfix shown below.
>
> Thank you,
>   Ingo
>
>
> P.S.
> The reason this particular bug was able to survive for so long appears
> to be that su(1) has been obsolete as a tool for getting a root shell
> for a very long time.  For that purpose, it is less secure than sudo(1)
> used to be, and even sudo(1) was swapped out of OpenBSD because
> something simpler like doas(1) is even more secure unless you really
> need the additional functionality.  And even then, if possible,
> getting your task done in a simpler way that doas(1) can handle may
> provide a security benefit.
>
> Even though su(1) can still be used today to relinquish privilege
> when you are already root, no more development is done on it and people
> rarely look at the manual page.  The last time new functionality was
> added to the su(1) manual page was almost a decade ago, and the
> last time before that 17 years ago.
>
> Even though UNIX manual pages were always high quality documentation,
> two decades ago, they weren't fully up to modern OpenBSD quality
> standards yet.
>
>
> CVSROOT:        /cvs
> Module name:    src
> Changes by:     [hidden email]        2019/06/12 02:29:17
>
> Modified files:
>         usr.bin/su     : su.1
>
> Log message:
> when "login" is not specified, "root" is used;
> omission reported by Nan Xiao <xiaonan830818 at gmail dot com> on misc@
>
>
> Index: su.1
> ===================================================================
> RCS file: /cvs/src/usr.bin/su/su.1,v
> retrieving revision 1.31
> retrieving revision 1.32
> diff -u -r1.31 -r1.32
> --- su.1        30 Jul 2015 08:03:49 -0000      1.31
> +++ su.1        12 Jun 2019 08:29:17 -0000      1.32
> @@ -49,6 +49,11 @@
>  .Nm
>  utility allows a user to run a shell with the user and group ID of another user
>  without having to log out and in as that other user.
> +If the target
> +.Ar login
> +name is not specified,
> +.Dq root
> +is used.
>  .Pp
>  By default, the environment is unmodified with the exception of
>  .Ev LOGNAME ,

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Andrew Luke Nesbit-2
In reply to this post by Theo de Raadt-2
On 13/06/2019 07:17, Theo de Raadt wrote:

> Mihai Popescu <[hidden email]> wrote:
>
>>> ... if no account is provided, root is the default
>>
>> I always considered that su is coming from _s_uper _u_ser. But maybe I
>> am wrong, I am not from old UNIX days.
>
> incorrect.
>
> NAME
>      su - substitute user identity
>

I never noticed this before.  It's my favorite bit of *nix trivia that
defies misguided assumptions since I learned that `/etc` is apparently
an initialism for "editible text configuration".

Andrew
--
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Marc Espie-2
On Thu, Jun 13, 2019 at 08:55:09AM +0100, Andrew Luke Nesbit wrote:

> On 13/06/2019 07:17, Theo de Raadt wrote:
> > Mihai Popescu <[hidden email]> wrote:
> >
> >>> ... if no account is provided, root is the default
> >>
> >> I always considered that su is coming from _s_uper _u_ser. But maybe I
> >> am wrong, I am not from old UNIX days.
> >
> > incorrect.
> >
> > NAME
> >      su - substitute user identity
> >
>
> I never noticed this before.  It's my favorite bit of *nix trivia that
> defies misguided assumptions since I learned that `/etc` is apparently
> an initialism for "editible text configuration".
>
> Andrew

Right... and the perfect match to commonly used "et caetera" is just
pure coincidence.

Lol.

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

chohag
In reply to this post by Nan Xiao
Nan Xiao writes:
> Hi Ingo,
>
> Thanks for your detailed explanation!

Ingo seems to be rather good at those. The last trivial question I asked
got an exposé on precisely how the ports and base development processes
interact with one another.

I propose a motion that every answer Igno makes to a question be turned
into a FAQ item.

Or, slightly more seriously, that response I got the other day on ports@
should be in a "how to do ports" document because wow, Ingo, you seem to
have a knack for detailed (and *clear*) explanations and I don't think I
thanked you for putting it all out there for me.

Matthew

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Christian Weisgerber
In reply to this post by Theo de Raadt-2
On 2019-06-13, "Theo de Raadt" <[hidden email]> wrote:

>> I always considered that su is coming from _s_uper _u_ser. But maybe I
>> am wrong, I am not from old UNIX days.
>
> incorrect.
>
> NAME
>      su - substitute user identity

Well, that's V7, which appears to have engaged in a bit of revisionism
together with the then newly expanded functionality.

Earlier in V6 it was "su - become privileged user" and "Su allows
one to become the super-user, who has all sorts of marvelous (and
correspondingly dangerous) powers".

http://man.cat-v.org/unix-6th/8/su

--
Christian "naddy" Weisgerber                          [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Mihai Popescu-3
In reply to this post by Nan Xiao
> Ingo seems to be rather good at those.

My favorites are Nick Holland's answers. But let's not forget Stuart
Henderson, Henning Brauer, Stefan Sperling, Marc Espie ... and Dr.
House. The answers from the latter are hard to digest but always solid
and in place. May be others too, my excuses for not mentioning them.
And for killing the thread.

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Ingo Schwarze
In reply to this post by Christian Weisgerber
Hi,

Christian Weisgerber wrote on Thu, Jun 13, 2019 at 11:13:11AM -0000:
> On 2019-06-13, "Theo de Raadt" <[hidden email]> wrote:
>> Somebody wrote:

>>> I always considered that su is coming from _s_uper _u_ser. But maybe I
>>> am wrong, I am not from old UNIX days.

>> incorrect.
>>
>> NAME
>>      su - substitute user identity

> Well, that's V7, which appears to have engaged in a bit of revisionism
> together with the then newly expanded functionality.
>
> Earlier in V6 it was "su - become privileged user" and "Su allows
> one to become the super-user, who has all sorts of marvelous (and
> correspondingly dangerous) powers".
>
> http://man.cat-v.org/unix-6th/8/su

Actually, that text (without the parenthetic remark) goes back all
the way to v1 (Nov/3/71),

To scare you a bit, the SYNOPSIS in v1 said:

  su password

and the DESCRIPTION:

  In order for su to do its magic, the user must pass as an argument
  a password.

There was a BUGS section, but it was explicitly empty.

Those were more carefree times.

The table of contents in v2 even said, under section I:

  su ........... become super-user

https://www.tuhs.org/Archive/Distributions/Research/Dennis_v1/man13.pdf
https://www.tuhs.org/Archive/Distributions/Research/1972_stuff/unix_2nd_edition_manual.pdf

I just committed a fix to the HISTORY section of the manual page.


CVSROOT: /cvs
Module name: src
Changes by: [hidden email] 2019/06/13 06:59:51

Modified files:
        usr.bin/su     : su.1

Log message:
su(I) goes back all the way to v1:
https://www.tuhs.org/Archive/Distributions/Research/Dennis_v1/man13.pdf
It wasn't in v0 PDP-7 UNIX though:
https://www.tuhs.org/Archive/Distributions/Research/McIlroy_v0/UnixEditionZero.txt


Index: su.1
===================================================================
RCS file: /cvs/src/usr.bin/su/su.1,v
retrieving revision 1.32
retrieving revision 1.33
diff -u -r1.32 -r1.33
--- su.1 12 Jun 2019 08:29:17 -0000 1.32
+++ su.1 13 Jun 2019 12:59:51 -0000 1.33
@@ -273,7 +273,7 @@
 .Sh HISTORY
 A
 .Nm
-command appeared in
-.At v7 .
+command first appeared in
+.At v1 .
 .Sh BUGS
 The login name is not optional for root if there are shell arguments.

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Adam Thompson
In reply to this post by Ingo Schwarze
On 2019-06-12 03:55, Ingo Schwarze wrote:
> Even though su(1) can still be used today to relinquish privilege
> when you are already root, no more development is done on it and people
> rarely look at the manual page.  The last time new functionality was
> added to the su(1) manual page was almost a decade ago, and the
> last time before that 17 years ago.

Well, su(8) also is used to obtain root privileges in the first place.

FWIW, I regularly use "su" on OpenBSD because it's a relatively
consistent cross-platform way to have root run a command as someone
else.  I recall a good number of ports using su(8) internally in, e.g.
process-control scripts - but that was years ago, not sure if it's still
true or not.

doas simply isn't available anywhere else (yet).  (IMHO, I don't think a
portable version of doas has a lot of potential - it's not complicated
enough! <grin>)

During initial system installation & deployment, before doas is
configured, and assuming you haven't [yet] added your SSH keys to
~root/.ssh/allowed_keys, it's quite impossible to avoid using su.  
(AFAIK.  If there's another way, let me know!)

I hope you're just saying that su(8) is a mature, stable utility that
needs no further work right now.  It kind of sounds like you might be
saying that su(8) could be on the chopping block, much like sudo(8)...
have I misread that?

-Adam

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Chris Bennett-4
In reply to this post by Ingo Schwarze
Well, I often need a root shell.
Usually I login as a user in group wheel, but not operator!
The perils of group operator were explained in a previous thread.
I don't use that group anymore.

As I understand, nothing like a web browser, etc. should ever be used by
root. So I don't.

I have been using doas su -l to get a root shell, while using those
other programs as the original user.

I never use ssh from the root shell.


Am I doing something unsafe here?
Should I NOT open the root shell and only execute each command with
doas? That's easy to do also.
A third choice is actually to login as root directly.

Does having a root shell open continously, but only when using it,
cause me to have a significant security risk?
It's convienent, but not necessary.

And there was that tty security problem that came up in another thread.

I've been meaning to ask this question, seems like a good thread to ask
it in. Things have changed significantly recently, so I feel a little
unsure how things stand now.

Thanks,
Chris Bennett


Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

OpenBSD lists
In reply to this post by Adam Thompson
On 6/13/2019 9:42 AM, Adam Thompson wrote:
> On 2019-06-12 03:55, Ingo Schwarze wrote:
> During initial system installation & deployment, before doas is
> configured, and assuming you haven't [yet] added your SSH keys to
> ~root/.ssh/allowed_keys, it's quite impossible to avoid using su.
> (AFAIK.  If there's another way, let me know!)
>
siteXX.tgz

https://www.openbsd.org/faq/faq4.html#site

Reply | Threaded
Open this post in threaded view
|

Re: The su manual doesn't mention use root account by default

Andrew Luke Nesbit-2
On 13/06/2019 20:56, Misc User wrote:

> On 6/13/2019 9:42 AM, Adam Thompson wrote:
>> On 2019-06-12 03:55, Ingo Schwarze wrote:
>> During initial system installation & deployment, before doas is
>> configured, and assuming you haven't [yet] added your SSH keys to
>> ~root/.ssh/allowed_keys, it's quite impossible to avoid using su.
>> (AFAIK.  If there's another way, let me know!)
>
> siteXX.tgz
>
> https://www.openbsd.org/faq/faq4.html#site

This is a neat solution.

Another could be to use single user mode as per
https://www.openbsd.org/faq/faq8.html#LostPW .  This is pretty low level
and whether or not it is sufficient depends on what sort of extra
configuration needs doing.

Andrew
--
OpenPGP key: EB28 0338 28B7 19DA DAB0  B193 D21D 996E 883B E5B9