Bug 160798

Summary: su command in startup script fails with permissions problem
Product: [Fedora] Fedora Reporter: John Horne <john.horne>
Component: coreutilsAssignee: Tim Waugh <twaugh>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: 4   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2005-06-17 08:18:05 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:

Description John Horne 2005-06-17 07:38:32 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
I have a system startup script in /etc/init.d which calls 'su' to run a program as another user ('bigbro'). The relevant part is:

=========================================================================
BBHOME=/home/bigbro/bb

[ -f $BBHOME/runbb.sh ] || exit 0

# See how we were called.
case "$1" in
  start)
        echo -n "Starting Big Brother"
        su -l -c "$BBHOME/runbb.sh start >/dev/null" bigbro && \
        success "Starting Big Brother" || failure "Starting Big Brother"
        echo
        ;;
=========================================================================

Changing the startup script to show what is happening , it shows that the su command fails with a permission problem:

=========================================================================
Starting Big Brother+ su -l -c '/home/bigbro/bb/runbb.sh start >/dev/null' 
bigbro
su: /bin/bash: Permission denied
=========================================================================

The log file /var/log/audit/audit.log shows (wrapped by me):

=========================================================================
type=USER msg=audit(1119006433.270:7394952): user pid=4201 uid=0 auid=4294967295
  msg='PAM authentication: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
type=USER msg=audit(1119006433.578:7395659): user pid=4201 uid=0 auid=4294967295
  msg='PAM accounting: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
type=USER msg=audit(1119006433.885:7396141): user pid=4201 uid=0 auid=4294967295
  msg='PAM session open: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
type=PATH msg=audit(1119006433.988:7396329): item=0 name="/bin/bash" 
  inode=1824354 dev=09:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC_PATH msg=audit(1119006433.988:7396329):  path="/bin/bash"
type=SYSCALL msg=audit(1119006433.988:7396329): arch=40000003 syscall=11 
  success=no exit=-13 a0=99a2760 a1=999c070 a2=99a27e8 a3=3 items=1 pid=4202 
  auid=4294967295 uid=1984 gid=1984 euid=1984 suid=1984 fsuid=1984 egid=1984 
  sgid=1984 fsgid=1984 comm="su" exe="/bin/su"
type=AVC msg=audit(1119006433.988:7396329): avc:  denied  { transition } for  
  pid=4202 comm="su" name=bash dev=md2 ino=1824354 
  scontext=root:system_r:initrc_t tcontext=user_u:system_r:unconfined_t 
  tclass=process
type=USER msg=audit(1119006434.193:7396816): user pid=4201 uid=0 auid=4294967295
  msg='PAM session close: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
=========================================================================

Disabling SElinux and rebooting and the startup script works fine.


John.

Version-Release number of selected component (if applicable):
coreutils-5.2.1-48     and     bash-3.0-31

How reproducible:
Always

Steps to Reproduce:
1.Create a startup script using the 'su' command to run a program as another user.
2.
3.
  

Actual Results:  The su command will fail.

Expected Results:  The su command should work and run the specified program as the specified user.

Additional info:
Comment 1 Tim Waugh 2005-06-17 08:18:05 EDT
Use 'runuser' for this.
Comment 2 John Horne 2005-06-17 09:36:20 EDT
Many thanks for such an easy answer :-) The 'su' worked at FC3 so I assumed it
was a bug in FC4. Didn't know about the runuser command. The startup script
works fine now.



John.