From nobody@www.freebsd.org Sun Jun 16 15:49:29 2002 Return-Path: Received: from nwww.freebsd.org (www.FreeBSD.org [216.136.204.117]) by hub.freebsd.org (Postfix) with ESMTP id 11BEE37B40A for ; Sun, 16 Jun 2002 15:49:29 -0700 (PDT) Received: from www.freebsd.org (localhost [127.0.0.1]) by nwww.freebsd.org (8.12.2/8.12.2) with ESMTP id g5GMm5hG014222 for ; Sun, 16 Jun 2002 15:48:05 -0700 (PDT) (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.12.2/8.12.2/Submit) id g5GMm5Pf014221; Sun, 16 Jun 2002 15:48:05 -0700 (PDT) Message-Id: <200206162248.g5GMm5Pf014221@www.freebsd.org> Date: Sun, 16 Jun 2002 15:48:05 -0700 (PDT) From: Dan Mahoney To: freebsd-gnats-submit@FreeBSD.org Subject: Passwd will not work when root su's into a user. X-Send-Pr-Version: www-1.0 >Number: 39382 >Category: misc >Synopsis: Passwd will not work when root su's into a user. >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: closed >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Jun 16 15:50:01 PDT 2002 >Closed-Date: Mon Jun 17 22:07:01 PDT 2002 >Last-Modified: Mon Jun 17 22:07:01 PDT 2002 >Originator: Dan Mahoney >Release: 4.5-STABLE >Organization: Gushi Systems >Environment: FreeBSD prime.gushi.org 4.5-STABLE FreeBSD 4.5-STABLE #0: Fri Apr 19 01:20:11 EDT 2002 root@temporary.ezzi.net:/usr/src/sys/compile/PRIME45 i386 >Description: When root su's down to another account, even using -l to simulate a full login, they are unable to try to use passwd (as the user) to change their password, because passwd apparently checks realuid, and not effectiveuid. This also breaks usermin, which runs as a normal user, and has a password change module that uses passwd. >How-To-Repeat: As root, su -l to a user, then type passwd. You will get a "permission denied" error. >Fix: Always use passwd -l $username, or could someone submit a patch for passwd to correct this? >Release-Note: >Audit-Trail: From: "Simon 'corecode' Schubert" To: Dan Mahoney Cc: freebsd-gnats-submit@FreeBSD.ORG Subject: Re: misc/39382: Passwd will not work when root su's into a user. Date: Mon, 17 Jun 2002 13:20:31 +0200 --=.s,B'KT2.ZU)cx_ Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit On Sun, 16 Jun 2002 15:48:05 -0700 (PDT) Dan Mahoney wrote: > >Description: > When root su's down to another account, even using -l to > simulate a full login, they are unable to try to use passwd (as > the user) to change their password, because passwd apparently > checks realuid, and not effectiveuid. This also breaks usermin, > which runs as a normal user, and has a password change module > that uses passwd. this is not true. it cannot check the effective id because this is always changed to 0 (suid root!). passwd(1) checks the login name with getlogin(). this is the only one and true[tm] way to support different accounts with the same UID (for example personalized root accounts etc). besides, su'ing only to change a passwd seems overkill. cheerz simon -- /"\ http://corecode.ath.cx/#donate \ / \ ASCII Ribbon Campaign / \ Against HTML Mail and News --=.s,B'KT2.ZU)cx_ Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (FreeBSD) iD8DBQE9DcYCr5S+dk6z85oRAhQ/AKDCP0w8nidBHDZdHuKl/+b3wv3MAgCg/WvT v686kER54rwKH+1DD7HQF+4= =SPWt -----END PGP SIGNATURE----- --=.s,B'KT2.ZU)cx_-- From: "Dan Mahoney, System Admin" To: "Simon 'corecode' Schubert" Cc: Dan Mahoney , Subject: Re: misc/39382: Passwd will not work when root su's into a user. Date: Mon, 17 Jun 2002 16:02:15 -0400 (EDT) On Mon, 17 Jun 2002, Simon 'corecode' Schubert wrote: > On Sun, 16 Jun 2002 15:48:05 -0700 (PDT) Dan Mahoney wrote: > > >Description: > > When root su's down to another account, even using -l to > > simulate a full login, they are unable to try to use passwd (as > > the user) to change their password, because passwd apparently > > checks realuid, and not effectiveuid. This also breaks usermin, > > which runs as a normal user, and has a password change module > > that uses passwd. Okay, so then shouldn't su -l do a setlogin()? -Dan Mahoney > > this is not true. it cannot check the effective id because this is > always changed to 0 (suid root!). > passwd(1) checks the login name with getlogin(). this is the only one > and true[tm] way to support different accounts with the same UID (for > example personalized root accounts etc). > besides, su'ing only to change a passwd seems overkill. > > cheerz > simon > > -- "You're a thucking reyer!" -Richard Bozzello, who believed tongue piercing was painless. --------Dan Mahoney-------- Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Web: http://prime.gushi.org finger danm@prime.gushi.org for pgp public key and tel# --------------------------- State-Changed-From-To: open->closed State-Changed-By: cjc State-Changed-When: Mon Jun 17 22:04:29 PDT 2002 State-Changed-Why: As you mention, the fix is simply to give passwd(1) the user's name as an argument. When logged in as root, # passwd user To change 'user's password rather than bothering to su(1) to the user. This is the intended and desired behavior. http://www.freebsd.org/cgi/query-pr.cgi?pr=39382 >Unformatted: