DaemonForums  

Go Back   DaemonForums > OpenBSD > OpenBSD General

OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 7th September 2010
sputnik's Avatar
sputnik sputnik is offline
Port Guard
 
Join Date: Mar 2009
Posts: 23
Thanked 0 Times in 0 Posts
Default ksh doesn't reed root's .profile

Anyone has a clue? If i use "su - root", i have all aliases in /root/.profile working. If i use "su", /root/.profile doesn't seem to be read by ksh. What's the solution? Typing "su - root" every time is annoying.
Reply With Quote
  #2   (View Single Post)  
Old 7th September 2010
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

Quote:
Originally Posted by sputnik View Post
Anyone has a clue? If i use "su - root", i have all aliases in /root/.profile working. If i use "su", /root/.profile doesn't seem to be read by ksh. What's the solution? Typing "su - root" every time is annoying.
That's intended behavior. If you simply "su", you're keeping your environment while gaining elevated priv. If you "su -", you are using a login shell to read root's environment.

Read ksh's manpage (search for login shell and privileged shell).
Reply With Quote
  #3   (View Single Post)  
Old 7th September 2010
sputnik's Avatar
sputnik sputnik is offline
Port Guard
 
Join Date: Mar 2009
Posts: 23
Thanked 0 Times in 0 Posts
Default

Just read it, but haven't found a solution. I've also noted when i use "su" i'm keeping my environment partly. E.g. exported variables like PKG_PATH or CVSROOT are preserved, but aliases ar not. I'm confused.
Reply With Quote
  #4   (View Single Post)  
Old 7th September 2010
sputnik's Avatar
sputnik sputnik is offline
Port Guard
 
Join Date: Mar 2009
Posts: 23
Thanked 0 Times in 0 Posts
Default

And also variable PATH is not preserved (/usr/local/sbin particularly). Is this really intented behaviour? Some variables ar kept and some are not.
Reply With Quote
  #5   (View Single Post)  
Old 7th September 2010
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 3,719
Thanked 214 Times in 189 Posts
Default

You might consider a couple of additional man pages:

From su(1):
Quote:
By default, the environment is unmodified with the exception of LOGNAME,
HOME, SHELL, and USER. HOME and SHELL are set to the target login's
default values. LOGNAME and USER are set to the target login, unless the
target login has a user ID of 0 and the -l flag was not specified, in
which case it is unmodified. The invoked shell is the target login's.
This is the traditional behavior of su.
and a command you may not have considered, sudo(8), which has significantly more capability than su. You can set the environment variables you want carried over, or not, by configuration file. And then, you can even override them, as described here for the -E operand:
Quote:
The -E (preserve environment) option will override the
env_reset option in sudoers(5)). It is only available when
either the matching command has the SETENV tag or the
setenv option is set in sudoers(5).
Of course, you'll want to read sudoers(5) as well.
Reply With Quote
  #6   (View Single Post)  
Old 7th September 2010
rocket357's Avatar
rocket357 rocket357 is offline
Real Name: Jonathon
Wannabe OpenBSD porter
 
Join Date: Jun 2010
Location: 127.0.0.1
Posts: 330
Thanked 9 Times in 9 Posts
Default

Solution to what? You haven't been clear about what you *expect* to have happen, and how that differs from what you're observing.

I'm hazarding a guess here...a very quick and dirty workaround (if I'm understanding your complaint correctly) would be to alias su="su -", then source your alias file at the bottom of your .profile.
Reply With Quote
  #7   (View Single Post)  
Old 7th September 2010
sputnik's Avatar
sputnik sputnik is offline
Port Guard
 
Join Date: Mar 2009
Posts: 23
Thanked 0 Times in 0 Posts
Default

That's correct, you've understood my complaint correctly enough. I've reread su(1) manpage and found bit more acceptable "solution" to alias su='su -m'. Thanks for answers!
Reply With Quote
  #8   (View Single Post)  
Old 7th September 2010
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 779
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by sputnik View Post
That's correct, you've understood my complaint correctly enough. I've reread su(1) manpage and found bit more acceptable "solution" to alias su='su -m'. Thanks for answers!
Which posses security risk ...
Reply With Quote
  #9   (View Single Post)  
Old 7th September 2010
sputnik's Avatar
sputnik sputnik is offline
Port Guard
 
Join Date: Mar 2009
Posts: 23
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Oko View Post
Which posses security risk ...
How? I presume su -l could be a security risk, but not su -m... :/
Reply With Quote
Old 7th September 2010
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 779
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by sputnik View Post
How? I presume su -l could be a security risk, but not su -m... :/
You got it wrong. Reading .profile IS a security risk. Default behavior when you
log as su - and do NOT read .profile is NOT a security risk. Just think about it for a second.
Reply With Quote
Old 8th September 2010
sputnik's Avatar
sputnik sputnik is offline
Port Guard
 
Join Date: Mar 2009
Posts: 23
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Oko View Post
You got it wrong. Reading .profile IS a security risk. Default behavior when you
log as su - and do NOT read .profile is NOT a security risk. Just think about it for a second.
But 'su -m' doesn't read target user's .profile, it leaves unmodified environment as says man su(1)
Quote:
Leave the environment unmodified. The invoked shell is your login shell, and no directory changes are made.
Also csh would read root's .cshrc. Does that mean csh is not secure as root shell?
Reply With Quote
Old 8th September 2010
mechanic mechanic is offline
Port Guard
 
Join Date: Sep 2010
Posts: 15
Thanked 0 Times in 0 Posts
Default

I found that even with 'su -' some environment variables were read and some were not (as explained above) and the working directory changed to /root too. The aliases issue had to be overcome by putting those in a .kshrc file referred to by a $ENV variable defined in .profile. Running 'su' carries over the aliases defined in the user directory without changing working directory which I find useful.

Last edited by mechanic; 8th September 2010 at 04:09 PM.
Reply With Quote
Old 8th September 2010
Oko's Avatar
Oko Oko is offline
Fsck Surgeon
 
Join Date: May 2008
Location: Kosovo, Serbia
Posts: 779
Thanked 36 Times in 32 Posts
Default

Quote:
Originally Posted by sputnik View Post

Also csh would read root's .cshrc. Does that mean csh is not secure as root shell?
Roots .cshrc is OK. What you do not want is to read .cshrc from your regular user account. My understanding was that he wants exactly that. To read all the environment of the regular user. I will admit that would make work more convenient but on the multi user system is just plain dangerous.
Reply With Quote
Old 16th September 2010
sputnik's Avatar
sputnik sputnik is offline
Port Guard
 
Join Date: Mar 2009
Posts: 23
Thanked 0 Times in 0 Posts
Default

Quote:
Originally Posted by Oko View Post
on the multi user system is just plain dangerous.
Not convinced. "just plain dangerous" is not an argument.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
OpenBSD: modify .profile for PS1 and PAGER J65nko Guides 1 20th January 2010 12:17 AM
when and by what is .profile read? kasse FreeBSD General 8 11th September 2008 08:46 AM
working with .profile and history uptonm OpenBSD Security 1 15th August 2008 12:14 PM
Firefox profile not saving tonywob FreeBSD General 4 20th May 2008 12:20 PM


All times are GMT. The time now is 01:22 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick