From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; de-DE; rv:1.7.12) Gecko/20051010 Firefox/1.0.7 (Ubuntu package 1.0.7) Description of problem: I think the following small patch should be applied to the coreutils package, on top of the existing patch: --- runuser.c.orig 2005-10-19 22:01:57.000000000 +0200 +++ runuser.c 2005-10-19 22:00:53.000000000 +0200 @@ -19,6 +19,8 @@ return PAM_SUCCESS; } int pam_open_session(pam_handle_t *pamh, int flags){ + if (getuid() != geteuid()) /* safety net: deny operation if we are suid by accident */ + error(EXIT_FAIL, 1, "runuser may not be setuid"); return PAM_SUCCESS; } int pam_close_session(pam_handle_t *pamh, int flags){ Rationale: There are still a lot of scripts that assume they can use "su" to switch uids. In some situations (eg mine :) it is simply too much work to audit them all and keep up with updates. Instead I intend to "mv su su2; ln runuser su" and teach the other admins to use su2 instead (users are not allowed to use su anyway). The only problem currently is that if the permissions on the new su are accidently set to the usual values (by admin error or a permission check script) there is a security hole immediately. This small patch prevents this problem; it should not interfere with normal operation in any way. PS: This patch has been in use since a few weeks and has not caused any problems so far. It was posted to the SELinux-ML and acked by Russell Coker, who requested that the patch be bugzilla'd. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. 2. 3. 4. Additional info:
Thanks for the report. Fixed in 5.93-2 in rawhide.