Red Hat Bugzilla – Bug 55219
/sbin/nologin kills "easy" setuid with like 'su - nobody -c "command"
Last modified: 2014-03-16 22:23:56 EDT
As 'nobody' was changed to use /sbin/nologin, instead of empty, certain things broke badly.
You can no longer build "cheap" setuid solutions with constructs like:
su - nobody -c "command"
This may break very many local daemon initializations (typically from /etc/rc.d/rc.local), as only this is printed:
This account is currently not available.
Possible courses of action:
1) change nobody's shell to empty, or
2) create a small wrapper binary with c (e.g. /usr/bin/setid or /bin/setid) to perform basically the following (about 10-20 lines):
* takes arguments and one option
* first argument is always the userid to change the identity to
* the rest of the arguments would be stored as a command.
* the option, if present, could toggle whether the command is run through exec or system (default to exec?).
* setuid, setgid and initgroups to the specified user
* exec or system the command
as far as I can see, this could provide a scalable and nice way to get the similar behaviour. Optionally, it could also take an option for
additional chroot. The permissions would be 0750 root.root.
3) ignore the problem
Nalin, any opinions?
It is now the case that "su nobody -c command" (as opposed to "su - nobody -c
command") fails with the same error message. This causes root wrappers, such as
the one used by FreeCiv, to silently fail in X.
I last successfully used FreeCiv's root wrapper within the past month or so, but
I just recently noticed the failure. Changing nobody's shell to /bin/true causes
"su nobody -c command" to silently noop (no error message at all, but "command"
is not executed). Changing nobody's shell to /bin/bash allows "su nobody -
command" (and I can confirm it restores FreeCiv's root wrapper).
At this point, I don't think this behavior will be changed; it's been
this way for too many releases. Note that running multiple things as
nobody does not allow protections between them; best practices is to
allocate separate UIDs for each different setuid situation needed.