# SU Riddle ...



## pascalvree (May 6, 2009)

I've posted a different post concerning some problems I have with booting up some services I have on my FreeBSD Machine.

After some digging I found the next riddle ... (you would suspect both commands to run on every server)


```
su -l svn -c 'echo foo' (works on all machines)
su -m svn -c 'echo foo' (won't work on my own machine, works on others)
```

Is there anybody out there, whom has the answer to my little riddle ... Right now I'm completly clueless ...


----------



## pascalvree (May 6, 2009)

pascalvree said:
			
		

> I've posted a different post concerning some problems I have with booting up some services I have on my FreeBSD Machine.
> 
> After some digging I found the next riddle ... (you would suspect both commands to run on every server)
> 
> ...



I've also posted the relevant parts from the SU Man Page here ... perhaps it's helpfull!

```
-m      Leave the environment unmodified.  The invoked shell is your
             login shell, and no directory changes are made.  As a security
             precaution, if the target user's shell is a non-standard shell
             (as defined by getusershell(3)) and the caller's real uid is non-
             zero, su will fail.

 -l      Simulate a full login.  The environment is discarded except for
             HOME, SHELL, PATH, TERM, and USER.  HOME and SHELL are modified
             as above.  USER is set to the target login.  PATH is set to
             ``/bin:/usr/bin''.  TERM is imported from your current environ-
             ment.  Environment variables may be set or overridden from the
             login class capabilities database according to the class of the
             target login.  The invoked shell is the target login's, and su
             will change directory to the target login's home directory.
             Resource limits and session priority are modified to that for the
             target account's login class.
```


----------



## SirDice (May 6, 2009)

> if the target user's shell is a non-standard shell (as defined by getusershell(3)) and the caller's real uid is non-zero, su will fail.


Did you change root's shell? Check /etc/shells and see if its shell is in there.


----------



## pascalvree (May 6, 2009)

SirDice said:
			
		

> Did you change root's shell? Check /etc/shells and see if its shell is in there.



Well, root's shell is csh; and it's available within the /etc/shells

```
# $FreeBSD: src/etc/shells,v 1.5 2000/04/27 21:58:46 ache Exp $
#
# List of acceptable shells for chpass(1).
# Ftpd will not allow users to connect who are not using
# one of these shells.

/bin/sh
/bin/csh
/bin/tcsh
/usr/local/bin/bash
/usr/local/bin/rbash
```

This is the output from the env-command

```
REMOTEHOST=83.161.207.150
TERM=xterm
SHELL=/bin/csh
HOST=ervert
USER=root
GROUP=wheel
HOSTTYPE=FreeBSD
PAGER=more
FTP_PASSIVE_MODE=YES
MAIL=/var/mail/root
PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/games:/usr/local/sbin:/usr/local/bin:/root/bin
BLOCKSIZE=K
PWD=/bin
EDITOR=emacs
PS1=[\e[31;40m\u \e[36;40m\h \e[32;40m\w\e[37;40m] >
HOME=/root
SHLVL=3
OSTYPE=FreeBSD
VENDOR=intel
MACHTYPE=i386
LOGNAME=root
_=/usr/bin/env
OLDPWD=/root
```


----------



## SirDice (May 6, 2009)

Oh wait.. You're su'ing to svn. What's svn's shell?


----------



## DutchDaemon (May 6, 2009)

The *target* user in this case would be svn (or mysql in the original case).


----------



## pascalvree (May 6, 2009)

SirDice said:
			
		

> Oh wait.. You're su'ing to svn. What's svn's shell?



svn:*:1014:1016:User &:/home/svn:/bin/sh <= /bin/sh, which happens to be in the /etc/shells list


----------



## pascalvree (May 6, 2009)

DutchDaemon said:
			
		

> The *target* user in this case would be svn (or mysql in the original case).



LOL when i try the next

```
su -c -m svn -c '/bin/echo foo'
```

it works like a charm ...

but the command

```
su -m svn -c '/bin/echo foo'
```

fails utterly ...


----------



## pascalvree (May 6, 2009)

pascalvree said:
			
		

> LOL when i try the next
> 
> ```
> su -c -m svn -c '/bin/echo foo'
> ...



the same accounts for

working command:

```
su -c -m svn -c 'sh -c "/bin/echo foo"'
```

failing command:

```
su -m svn -c 'sh -c "/bin/echo foo"'
```

If I read the manual correctly the first "-c" option make sure, the resource limits for the su'ing to user are applied ...

Please help ...


----------



## DutchDaemon (May 6, 2009)

pascalvree said:
			
		

> working command:
> 
> ```
> su -c -m svn -c 'sh -c "/bin/echo foo"'
> ```



Really?


```
[root@box ~]# su -c -m mysql -c 'sh -c "/bin/echo foo"'
This account is currently not available.
```

However:

```
[root@box ~]# su -c mysql -m mysql -c 'sh -c "/bin/echo foo"'
foo
```


```
[root@box ~]# su -c mysql -m mysql -c 'echo foo'
foo
```


----------



## pascalvree (May 6, 2009)

Hmm... DutchDaemon I really don't have any clue left ...
Is there any way, I can debug the SU command easily? It seems, the command tends to work, but fails just for the -m option ... that sounds like a minor bug, or misconfiguration on my behalf...



			
				DutchDaemon said:
			
		

> Really?
> 
> 
> ```
> ...


----------



## pascalvree (May 6, 2009)

After lot's o'digging ... It finally turned out to be my own stupid configuration mistake ...

The default root shell, is /bin/sh; a friend o'mine whom also administers the server really prefers bash. So for various reasons I added a minor command to the end o'the .shrc file.


```
[ -x /usr/local/bin/bash ] && exec /usr/local/bin/bash
```

I suppose there is still some fine tuning to be done, in order to start bash; when available ... (FreeBSD offers o'lot o'reasons to not install bash as the default shell for root, so therefore I wrote that minor command ...)

Thanx for helping me debuggin' it!


----------



## phoenix (May 6, 2009)

*Don't change root's shell unless you *REALLY* understand all the implications there of.* 

If you need to access a "root" account with a different shell, then change the password for user *toor* and set that to use whichever shell you want.

That way, root will always be accessible using the defaults, and toor will be available with the non-standard setup.  That's the whole point to having toor.

Search the forums and the freebsd mailing lists for many, many, many, many, many long threads on the perils of changing roots shell.

Even better, don't ever login as root.  Just use sudo and su to start the shell of your choice as needed.


----------



## pascalvree (May 7, 2009)

Oh we do agree on the never login as root part, the sudo bash  option will do most o'the time... the guy whom also administers a bit on the machine just needs to learn some new habits  instead o'the old ones...



			
				phoenix said:
			
		

> *Don't change root's shell unless you *REALLY* understand all the implications there of.*
> 
> If you need to access a "root" account with a different shell, then change the password for user *toor* and set that to use whichever shell you want.
> 
> ...


----------

