Unable to do "su -m" in OpenBSD 6.4

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Unable to do "su -m" in OpenBSD 6.4

Federico Giannici
Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.

Up to 6.3 I was able to simply execute "su -m" to become superuser while
keeping all my enviroment. Now under 6.4 I'm no longer able to do it:

casa:/home/giannici> su -m
Password:
su: permission denied (shell).


In the man page of su I see "As a security precaution, if the target
user's shell is a non-standard shell (as defined by getusershell(3)) and
the caller's real UID is non-zero, su will fail.".

But here is the output of "/etc/shells":

casa:/home/giannici> cat /etc/shells
#       $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
#
# list of acceptable shells for chpass(1).
# ftpd(8) will not allow users to connect who are not using
# one of these shells, unless the user is listed in /etc/ftpchroot.
/bin/sh
/bin/csh
/bin/ksh
/usr/local/bin/bash
/usr/local/bin/tcsh

And here is the first line of vipw:

root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
&:/root:/bin/ksh


Why I can do "su" but I cannot do "su -m" anymore?

Thanks.

Reply | Threaded
Open this post in threaded view
|

Re: Unable to do "su -m" in OpenBSD 6.4

Theo de Raadt-2
You've found an unveil bug in su.  It needs to allow read access to
/etc/shells also, for this specific !altshell + asme + ruid case.

Index: su.c
===================================================================
RCS file: /cvs/src/usr.bin/su/su.c,v
retrieving revision 1.71
diff -u -p -u -r1.71 su.c
--- su.c 23 Aug 2018 16:52:13 -0000 1.71
+++ su.c 20 Oct 2018 16:47:19 -0000
@@ -164,6 +164,8 @@ main(int argc, char **argv)
  err(1, "unveil");
  if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
  err(1, "unveil");
+ if (unveil(_PATH_SHELLS, "r") == -1)
+ err(1, "unveil");
 
  for (;;) {
  /* get target user, default to root unless in -L mode */



> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
>
> Up to 6.3 I was able to simply execute "su -m" to become superuser
> while keeping all my enviroment. Now under 6.4 I'm no longer able to
> do it:
>
> casa:/home/giannici> su -m
> Password:
> su: permission denied (shell).
>
>
> In the man page of su I see "As a security precaution, if the target
> user's shell is a non-standard shell (as defined by getusershell(3))
> and the caller's real UID is non-zero, su will fail.".
>
> But here is the output of "/etc/shells":
>
> casa:/home/giannici> cat /etc/shells
> #       $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
> #
> # list of acceptable shells for chpass(1).
> # ftpd(8) will not allow users to connect who are not using
> # one of these shells, unless the user is listed in /etc/ftpchroot.
> /bin/sh
> /bin/csh
> /bin/ksh
> /usr/local/bin/bash
> /usr/local/bin/tcsh
>
> And here is the first line of vipw:
>
> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
> &:/root:/bin/ksh
>
>
> Why I can do "su" but I cannot do "su -m" anymore?
>
> Thanks.
>

Reply | Threaded
Open this post in threaded view
|

Re: Unable to do "su -m" in OpenBSD 6.4

Federico Giannici
OK, thank you.

I'd like to know if a syspatch is expected with this fix, or I have to
compile "su" by myself from sources.

Thanks.


On 10/20/18 6:47 PM, Theo de Raadt wrote:

> You've found an unveil bug in su.  It needs to allow read access to
> /etc/shells also, for this specific !altshell + asme + ruid case.
>
> Index: su.c
> ===================================================================
> RCS file: /cvs/src/usr.bin/su/su.c,v
> retrieving revision 1.71
> diff -u -p -u -r1.71 su.c
> --- su.c 23 Aug 2018 16:52:13 -0000 1.71
> +++ su.c 20 Oct 2018 16:47:19 -0000
> @@ -164,6 +164,8 @@ main(int argc, char **argv)
>   err(1, "unveil");
>   if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
>   err(1, "unveil");
> + if (unveil(_PATH_SHELLS, "r") == -1)
> + err(1, "unveil");
>  
>   for (;;) {
>   /* get target user, default to root unless in -L mode */
>
>
>
>> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
>>
>> Up to 6.3 I was able to simply execute "su -m" to become superuser
>> while keeping all my enviroment. Now under 6.4 I'm no longer able to
>> do it:
>>
>> casa:/home/giannici> su -m
>> Password:
>> su: permission denied (shell).
>>
>>
>> In the man page of su I see "As a security precaution, if the target
>> user's shell is a non-standard shell (as defined by getusershell(3))
>> and the caller's real UID is non-zero, su will fail.".
>>
>> But here is the output of "/etc/shells":
>>
>> casa:/home/giannici> cat /etc/shells
>> #       $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
>> #
>> # list of acceptable shells for chpass(1).
>> # ftpd(8) will not allow users to connect who are not using
>> # one of these shells, unless the user is listed in /etc/ftpchroot.
>> /bin/sh
>> /bin/csh
>> /bin/ksh
>> /usr/local/bin/bash
>> /usr/local/bin/tcsh
>>
>> And here is the first line of vipw:
>>
>> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
>> &:/root:/bin/ksh
>>
>>
>> Why I can do "su" but I cannot do "su -m" anymore?
>>
>> Thanks.
>>
>


--
___________________________________________________
     __
    |-                      [hidden email]
    |ederico Giannici      http://www.neomedia.it

        Presidente del CDA - Neomedia S.r.l.
___________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Unable to do "su -m" in OpenBSD 6.4

Theo de Raadt-2
Probably not.

> OK, thank you.
>
> I'd like to know if a syspatch is expected with this fix, or I have to
> compile "su" by myself from sources.
>
> Thanks.
>
>
> On 10/20/18 6:47 PM, Theo de Raadt wrote:
> > You've found an unveil bug in su.  It needs to allow read access to
> > /etc/shells also, for this specific !altshell + asme + ruid case.
> >
> > Index: su.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/su/su.c,v
> > retrieving revision 1.71
> > diff -u -p -u -r1.71 su.c
> > --- su.c 23 Aug 2018 16:52:13 -0000 1.71
> > +++ su.c 20 Oct 2018 16:47:19 -0000
> > @@ -164,6 +164,8 @@ main(int argc, char **argv)
> >   err(1, "unveil");
> >   if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
> >   err(1, "unveil");
> > + if (unveil(_PATH_SHELLS, "r") == -1)
> > + err(1, "unveil");
> >     for (;;) {
> >   /* get target user, default to root unless in -L mode */
> >
> >
> >
> >> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
> >>
> >> Up to 6.3 I was able to simply execute "su -m" to become superuser
> >> while keeping all my enviroment. Now under 6.4 I'm no longer able to
> >> do it:
> >>
> >> casa:/home/giannici> su -m
> >> Password:
> >> su: permission denied (shell).
> >>
> >>
> >> In the man page of su I see "As a security precaution, if the target
> >> user's shell is a non-standard shell (as defined by getusershell(3))
> >> and the caller's real UID is non-zero, su will fail.".
> >>
> >> But here is the output of "/etc/shells":
> >>
> >> casa:/home/giannici> cat /etc/shells
> >> #       $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
> >> #
> >> # list of acceptable shells for chpass(1).
> >> # ftpd(8) will not allow users to connect who are not using
> >> # one of these shells, unless the user is listed in /etc/ftpchroot.
> >> /bin/sh
> >> /bin/csh
> >> /bin/ksh
> >> /usr/local/bin/bash
> >> /usr/local/bin/tcsh
> >>
> >> And here is the first line of vipw:
> >>
> >> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
> >> &:/root:/bin/ksh
> >>
> >>
> >> Why I can do "su" but I cannot do "su -m" anymore?
> >>
> >> Thanks.
> >>
> >
>
>
> --
> ___________________________________________________
>     __
>    |-                      [hidden email]
>    |ederico Giannici      http://www.neomedia.it
>
>        Presidente del CDA - Neomedia S.r.l.
> ___________________________________________________

Reply | Threaded
Open this post in threaded view
|

Re: Unable to do "su -m" in OpenBSD 6.4

Theo de Raadt-2
In reply to this post by Federico Giannici
BTW, the unveil changes were commited roughly 2 months.  We rely on our
userbase to work along with us, testing our work, that is why -current
is always available.  Not accusing anyone specific of having missed the
regression, regressions will happen and test suites are hard to write
(especially in an area like this).  If we didn't have help from people
using -current fully, work such as unveil would happen much slower ---
if it happened at all (it is easy to get demoralized working on an
innovative project if it takes 4 years instead of 2 years, which is what
unveil took, actually unveil is the derivative of work started as
"pledgepaths" so it is closer to ~4 years already, imagine adding
another 2 due to slowness).  Sufficient use to discover this regression
didn't happen.  Oh well.  As intended by the design it fails closed,
therefore we can shrug it off and carry on.

> OK, thank you.
>
> I'd like to know if a syspatch is expected with this fix, or I have to
> compile "su" by myself from sources.
>
> Thanks.
>
>
> On 10/20/18 6:47 PM, Theo de Raadt wrote:
> > You've found an unveil bug in su.  It needs to allow read access to
> > /etc/shells also, for this specific !altshell + asme + ruid case.
> >
> > Index: su.c
> > ===================================================================
> > RCS file: /cvs/src/usr.bin/su/su.c,v
> > retrieving revision 1.71
> > diff -u -p -u -r1.71 su.c
> > --- su.c 23 Aug 2018 16:52:13 -0000 1.71
> > +++ su.c 20 Oct 2018 16:47:19 -0000
> > @@ -164,6 +164,8 @@ main(int argc, char **argv)
> >   err(1, "unveil");
> >   if (unveil(_PATH_AUTHPROGDIR, "x") == -1)
> >   err(1, "unveil");
> > + if (unveil(_PATH_SHELLS, "r") == -1)
> > + err(1, "unveil");
> >     for (;;) {
> >   /* get target user, default to root unless in -L mode */
> >
> >
> >
> >> Today I upgraded my desktop PC from OpenBSD amd64 6.3 to 6.4.
> >>
> >> Up to 6.3 I was able to simply execute "su -m" to become superuser
> >> while keeping all my enviroment. Now under 6.4 I'm no longer able to
> >> do it:
> >>
> >> casa:/home/giannici> su -m
> >> Password:
> >> su: permission denied (shell).
> >>
> >>
> >> In the man page of su I see "As a security precaution, if the target
> >> user's shell is a non-standard shell (as defined by getusershell(3))
> >> and the caller's real UID is non-zero, su will fail.".
> >>
> >> But here is the output of "/etc/shells":
> >>
> >> casa:/home/giannici> cat /etc/shells
> >> #       $OpenBSD: shells,v 1.8 2009/02/14 17:06:40 sobrado Exp $
> >> #
> >> # list of acceptable shells for chpass(1).
> >> # ftpd(8) will not allow users to connect who are not using
> >> # one of these shells, unless the user is listed in /etc/ftpchroot.
> >> /bin/sh
> >> /bin/csh
> >> /bin/ksh
> >> /usr/local/bin/bash
> >> /usr/local/bin/tcsh
> >>
> >> And here is the first line of vipw:
> >>
> >> root:$2b$XXXXXXXXXXXXXXXXSomeothercharacters:0:0:daemon:0:0:Charlie
> >> &:/root:/bin/ksh
> >>
> >>
> >> Why I can do "su" but I cannot do "su -m" anymore?
> >>
> >> Thanks.
> >>
> >
>
>
> --
> ___________________________________________________
>     __
>    |-                      [hidden email]
>    |ederico Giannici      http://www.neomedia.it
>
>        Presidente del CDA - Neomedia S.r.l.
> ___________________________________________________
>