Le 20/12/18 à 23:53, Francesco Poli a écrit :
On Thu, 20 Dec 2018 11:46:55 +0100 Laurent Bigonville wrote:
[...]
Otoh, runuser pam service is doing the strict minimum on purpose (ie
setting the limits based on the configuration and cleaning the kernel
keyring).
But I am under the impression that it does not *permanently* drop root
privileges.
What makes you think that?
bigon@fornost:~$ sudo runuser -u bigon /bin/bash -- -c "cat /proc/$$/status|grep -E
'[G|U]id'"
Uid: 1000 1000 1000 1000
Gid: 1000 1000 1000 1000
http://man7.org/linux/man-pages/man5/proc.5.html says that UID and GID are:
*/Uid/,/Gid/: Real, effective, saved set, and filesystem UIDs
(GIDs).
So bash is running as my UID/GID again.
You indeed have runuser still running as root, that's true:
root 8909 0.0 0.0 14856 4388 pts/0 S 09:38 0:00 sudo runuser
-u bigon /bin/bash
root 8910 0.0 0.0 14180 3444 pts/0 S 09:38 0:00 runuser -u
bigon /bin/bash
bigon 8911 0.0 0.0 8044 4896 pts/0 S 09:38 0:00 /bin/bash
But I don't see this being a problem, but I'm maybe overlooking
something here?
I tested quickly by replacing s6-setuidgid by runuser and it's working fine.
The only problems can see here is the fact that running the browser (ie
firefox) directly started by user or started after switching to root and
then back to the user might not produce the same result (environments
being different, SELinux context not being the expected one,...) but
AFAICS this might also happen with s6-setuidgid.
Anyway, I installed s6 on my machine to give a try at the current
implementation and it's not working, I get the following error:
s6-envuidgid: fatal: unable to get supplementary groups for bigon: No
such file or directory
