@"rvp"#p9453 Just in case you'd like to know there's a wrapper around `su` available in _wip_, [runas](https://github.com/outpaddling/runas)

@"rvp"#p9453 It will, but that is not the point. There is a good reason why people use `sudo` or `doas` instead of `su`, both security- and usability-wise.

@"vazub"#p9456 I know you didn't ask and I know is GPL licensed but, I use [please](https://www.usenix.org.uk/content/please.html). It allows granular control over which users are allowed to do what.

> @"vazub"#p9456 There is a good reason why people use `sudo` or `doas` instead of `su` Sure, if you're an ISP, or run a university network, then `su` is not fine-grained enough; but, for most home-user/enthusiast/hacker use-cases, it's all that's needed. > @"pin"#p9454 Just in case you'd like to know there's a wrapper around `su` available in wip, [runas](https://github.com/outpaddling/runas) Heh. I didn't know this. And, just how I run `su` too: always with `-l` 😄

> @"pin"#p9458 I know you didn't ask and I know is GPL licensed but, I use [please](https://www.usenix.org.uk/content/please.html). GPL discussion aside, what would be the technical/security/UX benefits of using `please` over `doas` or `priv`? > @"rvp"#p9459 Sure, if you're an ISP, or run a university network, then su is not fine-grained enough; but, for most home-user/enthusiast/hacker use-cases, it's all that's needed. This case is a good example. However, the utility of other discussed tools is that they promote some universal workflow, not purely for limited cases like the one you mentioned.

> @"rvp"#p9459 Heh. I didn't know this. And, just how I run su too: always with -l do you have a function set up for this? ``` sudo () { su -l root -c "$@" ; } ```

> @"pfr"#p9503 do you have a function set up for this? Close :). I have a script which is almost the same: I have `"$*"` instead of `"$@"` (`"$@"` won't work here because `-c` takes a _single_ argument).

> @"rvp"#p9517 I have "$*" instead of "$@" ("$@" won't work here because -c takes a single argument). Ahh thank you. I was trying to figure that out! I probably wont use it becuase I use `please` and `pleaseedit` on NetBSD, althought I might use it on my Void machine. I did try this function on linux in `zsh` but I couldn't get it to take multiple arguments without _"putting them in quotes"_. On Void I currently use `doas` but I've kept `sudo` installed because I prefer to use of `sudoedit` to edit root files. Unfortunately `doas` does not have a similar function. (I should just install `please`/`pleaseedit`) I'm curious if you could implement a `sudoedit` type function using `su`.

> @"pfr"#p9518 I'm curious if you could implement a `sudoedit` type function using `su` `sued`?[1] ```sh #!/bin/sh # # set -eu # umask 077 # rm -f /tmp/sued-helper.sh # prevent any symlink shenanigans # echo 'exec /usr/bin/vi -S "$@"' > /tmp/sued-helper.sh # exec su -m root /tmp/sued-helper.sh "$@" set -eu . ~/bin/q.sh umask 077 # XXX EDITOR='/usr/bin/vi -S' # $EDITOR *must* disallow shell-escapes. exec su -m root -c "$EDITOR $(q "$@")" ``` Run as: ```sh $ sued /etc/passwd /netbsd ``` Function `q()` is [here](https://www.unitedbsd.com/d/308-moritz-systems-bsd-tips-and-tricks/20). [1] Ie: If you use this script wrongly and somehow lose your `/etc/passwd`, don't `su(1)` me!

> @"rvp"#p9525 sued?[1] Funny, I have `alias sued="sudoedit"` in my `.zshrc` (although I don't use `ed`) I also renamed the above shell function to `suas` so to not replace `sudo` 😆 > @"rvp"#p9525 Run as: > ``` > $ env EDITOR=/bin/ed sued /etc/passwd /netbsd Why are you calling `EDITOR=/bin/ed` when the editor is set in the script? Also, why is `/etc/passwd` and `/netbsd` included in the command?

Random thought: The roles/profiles/tasks system of Solaris RBAC allows for a more fine-grained control over user priviliges and would represent a good starting point to take inspiration from for a future *BSD project.

doas, su discussion

vazub

pfr

# echo 'permit nopass keepenv :wheel' >> /usr/pkg/etc/doas.conf

is typically all I need in terms of doas settings. It doesn't require password for users in wheel group and makes sure your environment is used. Yes, that means your .vimrc file will be used properly as intended - no need to play around setenv at all.

pfr

vazub Thanks!

I'm hesitant to allow nopass for the wheel... even though I am the only person who uses my machine. I suppose I feel like needing to enter a password will keep me from doing something I shouldn't (more time to think) haha

rvp

pfr I personally use sudoedit over sudo vim because it preserves all of my plugins and customisations in my .vimrc, syntax highlighting being the main one.

In that case this minimal version (which uses the -m flag of su) should be sufficient:

Minimal `sued.sh`

#!/bin/sh

set -eu
umask 077
rm -f /tmp/sued-helper.sh	# prevent any symlink shenanigans
echo 'exec /usr/bin/vi -S "$@"' > /tmp/sued-helper.sh
exec su -m root /tmp/sued-helper.sh "$@"

I"ve also updated the sudoedit work-alike script above.

pfr

rvp
That is awesome. Would you recomend using the sudoedit script oer the more minimal function?

Now I'm also wondering, rahter than put the suas function in a script in my PATH, should I just add it to .profile as well?
Will scripts be able to call suas this way?

pfr

rvp Minimal sued.sh

I've been using the earlier version you posted above
for a while anyway but will use this more minimal version for now.

rvp

pfr Would you recomend using the sudoedit script oer the more minimal function?

I recommend using the real thing 😉

pfr Will scripts be able to call suas this way?

Shell functions won't do if you want run suas or sued from other scripts. I've just made the minimal sued into a script also for this reason.

pfr

rvp I recommend using the real thing 😉

nahhhh, that little script is all I need. Thanks again!

However, I tried the longer version above (on Void Linux) and for some reason it doesn't like this line:

λ ~ ./sued.sh /usr/local/bin/ec                                                                                                                                                      
Password:
./sued.sh: 92: set: Illegal option -o pipefail

whether it has anything to do with linux or zsh I dont know but I'll test it on my Thonkpad later.

oui

pfr

pfr Thonkpad

This typo is beautiful.

rvp

pfr However, I tried the longer version above (on Void Linux) and for some reason it doesn't like this line

a) which wretched shell is this?
b) just remove that -o pipefail--the script doesn't do any piping now.

pfr

oui This typo is beautiful.

Actually its not a typo, I'm jut a funny guy 😁

rvp a) which wretched shell is this?

zsh .... (returning to bash soon)

rvp b) just remove that -o pipefail--the script doesn't do any piping now.

Great, cheers.

The only downside I've found using onlu su so far is that there is no persist option and I am required to type my password every single time. Other than that, everything works as it should.

rvp zsh

rvp

pfr zsh .... (returning to bash soon)

No, mate, not your interactive one. I meant the shell executed by the shebang. It can't be zsh 'cuz a shell which has the kitchen-sink, the baby and its bath-water is sure to have -o pipefail as well.

I would guess dash. Everything other modern shell (except in strict-POSIX mode) supports that option.

rvp

pfr give me your thoughts?

This works only on Linux.
Setting cap_set{u,g}id on a program is good, but then, you immediately do set{u,g}id(0); exec(). This defeats the whole purpose of having capabilities. You might just as well have installed this program setuid instead.
Doesn't even ask for a password, or make any auth checks. Anybody can become root using this.

pfr I still to this day use the suas sued suec scripts from this thread.

Ah, there's a terrible security bug in the simple version of sued which I completely forgot about. Fixed.

Is this the version of suec you have?

#!/bin/sh

. ~/bin/q.sh
exec su root -c "$(q "$@")"

Don't recall what suas is...

pfr The only downside I've found using onlu su so far is that there is no persist option and I am required to type my password every single time.

Sometime after you asked this, I thought up a quirky technique to do just this using standard su -- and then promptly forgot until you bumped this thread up. Thought it up again. Here it is:

Assumptions:

User running su is in group wheel.
The only way to login into the system is via SSH or in a terminal using login. (Ie. other services like telnet, ftp, ... are off.)

Steps:

Remove root's password. (ie. the password is empty.)

Make sure root can't login via SSH.
The PermitRootLogin setting should be turned off, or commented out (the latter is the default these days).

$ fgrep PermitRootLogin /etc/ssh/sshd_config
#PermitRootLogin prohibit-password
$

Ensure root can't login on a terminal either.
Remove the secure word from the on entries in /etc/ttys.

The end result should be that any user belonging to wheel should be able to su root w/o a password. And, you also can't login as root in any other way.

rvp Sorry for jumping in again where I was not requested.
Yes, Void uses dash as the root shell.

pfr

rvp ahhh yes, I did not use my brain here.

pin Sorry for jumping in again where I was not requested.

You are always welcome to jump in, because you usually know whats going on in my system more than I do 😅

rvp

pin Jump in any time you like, mate! Yeah, I'll try to remember that dash doesn't know pipefail

@pin you have a working wireless in NetBSD, right? Does sysinst detect and configure it?

rvp

pin Can you please move this little discussion to this thread where it belongs?

rvp ~~Apparently I can't do that. I can select the messages to move but, I have no option to actually move them.~~

Sorry, done 🙂

rvp

pfr I've been using the earlier version you posted above

Ah, hell! I forgot to fix that version. Updated now.

pfr

rvp
So, out of the 3 possible impementations you've now shared, which one would be the most practical and/or sensible to use? The answer is not sudoedit 😆

rvp

pfr Hmm...no preference, actually. What does Goldilocks think?

pfr

rvp Goldilocks seems to prefer the version with the least amount of code.

« Previous Page Next Page »