Pure LFS coreutils - I rest my case (temporarily :)

Erik-Jan ej.lfs at xs4all.nl
Thu Apr 24 14:35:25 PDT 2003


Bill's LFS Login wrote:
> 
> You folks are a tough audience!
> 
Hehehe :))

But I think I've found why you're having such a hard time with the
fail-2eperm-test. It all has to do with versions of su. Both
coreutils/shellutils and shadow have a su. There are some differences
between these versions.
Shadow-su (which apparently is installed on your system) wants "username
args" in that order, coreutils-su doesn't care which comes first. If
shadow-su is invoked like this: "su -c "command" username, it just
forgets about the username. It runs the command with the permissions of
the user that issued the su, in this case root. That's why your tests
d-g all remove a/b, the rm-command is executed as root. Coreutils-su
executes the command as user, no difference if the user is before or
after the -c.
Coreutils-su on the other hand, seems to have a problem calling bash,
because it takes BASH_ENV from root. This gives the error
"/root/.bashrc: Permission denied", because the non-root-user doesn't
have permissions in /root. Shadow-su clears BASH_ENV, so no problems
here.

All this leads to one conclusion: the fail-2eperm-test should be run
using the newly-built coreutils-su. This prevents su-issues from the
hosts creeping up in the test. So, using /bin/su in the test really
isn't ok.
Preventing the BASH_ENV doing ugly things can be done with adding
--shell=/bin/sh (or -s /bin/sh if you don't like to type :)) to the
su-commands. 
I'll see what I can do to src/su.c, to make it clean BASH_ENV. Most
likely I will just make it crash, I don't know much about c...

Secondly, there should be a test (like Ryan's) to check if the shell
indicated in /etc/passwd really can execute commands. Users like your
user mysql should never be allowed to do shell-things, otherwise they
wouldn't have /bin/false as shell.

I've finished a test-build with a patched fail-2eperm-test, just like I
suggested in an earlier post. It all went OK, both in ch5 and ch6. For
completeness, I've attached the patch I used. It is made for
coreutils-5.0, but also works on versions 4.5.10 and up.
For versions 4.5.9 and earlier, there isn't a valid-shell test, so the
patch doesn't apply. Just adding -s /bin/sh to the su should make the
test work in these cases.

Bye
Erik-Jan
-------------- next part --------------
diff -Naur coreutils-5.0-orig/tests/rm/fail-2eperm coreutils-5.0/tests/rm/fail-2eperm
--- coreutils-5.0-orig/tests/rm/fail-2eperm	Wed Apr 23 01:16:43 2003
+++ coreutils-5.0/tests/rm/fail-2eperm	Wed Apr 23 01:17:55 2003
@@ -23,7 +23,8 @@
 non_root_username=
 names=`grep -v '[^:]*:[^:]*:0:' /etc/passwd| sed 's/:.*//'`
 for name in $names; do
-  su -c ':' $name && { non_root_username=$name; break; }
+  retname=`su -c 'id -un' $name 2> /dev/null`
+  test "$name" = "$retname" && { non_root_username=$name; break; }
 done
 test "x$non_root_username" = x && framework_failure=1
 
@@ -41,7 +42,7 @@
 
 fail=0
 
-su -c 'rm -rf a' $non_root_username 2> out && fail=1
+su --shell=/bin/sh -c 'rm -rf a' $non_root_username 2> out && fail=1
 cat <<\EOF > exp
 rm: cannot remove `a/b': Operation not permitted
 EOF


More information about the lfs-dev mailing list