Bug 160798 - su command in startup script fails with permissions problem
su command in startup script fails with permissions problem
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: coreutils (Show other bugs)
4
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tim Waugh
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2005-06-17 07:38 EDT by John Horne
Modified: 2007-11-30 17:11 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2005-06-17 08:18:05 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description John Horne 2005-06-17 07:38:32 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050524 Fedora/1.0.4-4 Firefox/1.0.4

Description of problem:
I have a system startup script in /etc/init.d which calls 'su' to run a program as another user ('bigbro'). The relevant part is:

=========================================================================
BBHOME=/home/bigbro/bb

[ -f $BBHOME/runbb.sh ] || exit 0

# See how we were called.
case "$1" in
  start)
        echo -n "Starting Big Brother"
        su -l -c "$BBHOME/runbb.sh start >/dev/null" bigbro && \
        success "Starting Big Brother" || failure "Starting Big Brother"
        echo
        ;;
=========================================================================

Changing the startup script to show what is happening , it shows that the su command fails with a permission problem:

=========================================================================
Starting Big Brother+ su -l -c '/home/bigbro/bb/runbb.sh start >/dev/null' 
bigbro
su: /bin/bash: Permission denied
=========================================================================

The log file /var/log/audit/audit.log shows (wrapped by me):

=========================================================================
type=USER msg=audit(1119006433.270:7394952): user pid=4201 uid=0 auid=4294967295
  msg='PAM authentication: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
type=USER msg=audit(1119006433.578:7395659): user pid=4201 uid=0 auid=4294967295
  msg='PAM accounting: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
type=USER msg=audit(1119006433.885:7396141): user pid=4201 uid=0 auid=4294967295
  msg='PAM session open: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
type=PATH msg=audit(1119006433.988:7396329): item=0 name="/bin/bash" 
  inode=1824354 dev=09:02 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=AVC_PATH msg=audit(1119006433.988:7396329):  path="/bin/bash"
type=SYSCALL msg=audit(1119006433.988:7396329): arch=40000003 syscall=11 
  success=no exit=-13 a0=99a2760 a1=999c070 a2=99a27e8 a3=3 items=1 pid=4202 
  auid=4294967295 uid=1984 gid=1984 euid=1984 suid=1984 fsuid=1984 egid=1984 
  sgid=1984 fsgid=1984 comm="su" exe="/bin/su"
type=AVC msg=audit(1119006433.988:7396329): avc:  denied  { transition } for  
  pid=4202 comm="su" name=bash dev=md2 ino=1824354 
  scontext=root:system_r:initrc_t tcontext=user_u:system_r:unconfined_t 
  tclass=process
type=USER msg=audit(1119006434.193:7396816): user pid=4201 uid=0 auid=4294967295
  msg='PAM session close: user=bigbro exe=/bin/su (hostname=?, addr=?, 
  terminal=pts/3 result=Success)'
=========================================================================

Disabling SElinux and rebooting and the startup script works fine.


John.

Version-Release number of selected component (if applicable):
coreutils-5.2.1-48     and     bash-3.0-31

How reproducible:
Always

Steps to Reproduce:
1.Create a startup script using the 'su' command to run a program as another user.
2.
3.
  

Actual Results:  The su command will fail.

Expected Results:  The su command should work and run the specified program as the specified user.

Additional info:
Comment 1 Tim Waugh 2005-06-17 08:18:05 EDT
Use 'runuser' for this.
Comment 2 John Horne 2005-06-17 09:36:20 EDT
Many thanks for such an easy answer :-) The 'su' worked at FC3 so I assumed it
was a bug in FC4. Didn't know about the runuser command. The startup script
works fine now.



John.

Note You need to log in before you can comment on or make changes to this bug.