Re: mandb wrapper scripts

To: Fabrizio Polacco <fab@prosa.it>
Cc: debian-devel@lists.debian.org
Subject: Re: mandb wrapper scripts
From: Ethan Benson <erbenson@alaska.net>
Date: Tue, 8 Feb 2000 03:45:03 -0900
Message-id: <20000208034503.D8996@plato.localdomain.local>
In-reply-to: <20000208134656.L449@none>; from fab@prosa.it on Tue, Feb 08, 2000 at 01:46:56PM +0200
References: <20000206025410.A1475@socrates.localdomain.local> <20000207140315.D449@none> <20000207034450.B5936@plato.localdomain.local> <20000207224437.D23673@ulysses.dhis.net> <20000208121401.J449@none> <20000208112545.A29408@atrey.karlin.mff.cuni.cz> <20000208134656.L449@none>

On Tue, Feb 08, 2000 at 01:46:56PM +0200, Fabrizio Polacco wrote:
> 
> The other two issues still open are:
> 
>  * Not all the ports has su -s working.
>  * local sysadm can disable shell of user nobody.
> 
>   # After executing 
> [ `id -u` = 0 ] || exec ${cmd}
>   # we are sure we are root.
>   # Now we can test for nobody's shell:
> su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
>   # At this point we know that nobody has no shell.
>   # we need su -s but we have to test it before.
> su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
>   # everything failed: no shell and no su -s ... use less-secure user man.
> exec su man -c ${1+"$cmd"}
> 
> 
> The script:
> 	#!/bin/sh -e
> 	pgm=`basename $0`
> 	edir=/usr/lib/man-db
> 	cmd="${edir}/${pgm} ${1+$@}"
> 	[ `id -u` = 0 ] || exec ${cmd}
> 	su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
> 	su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
> 	exec su man -c ${1+"$cmd"}
> 
> 
> a quick test before hitting y
> ...
> works!

sorry but I have to add one more patch ;-) if we use man with no
arguments we get su usage that would probably trigger a `wtf' fix
below:

#!/bin/sh -e
pgm=`basename $0`
edir=/usr/lib/man-db
cmd="${edir}/${pgm} ${1+$@}"
if [ $# = 0 ] ; then
    echo "What manual page do you want?"
    exit 1
fi
[ `id -u` = 0 ] || exec ${cmd}
su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
exec su man -c ${1+"$cmd"}

also one other problem, if the admin has set nobody's shell to
/bin/true instead of /bin/false then we will be fooled into thinking
our test succeeded when it really didn't, I tend to think this is not
too bad.. but perhap you should document this in the README..  I do
not think its unreasonable to ask the admin to use /bin/false instead
of /bin/true for nobody's bogus shell.

the only other way i can think to test for the shell is using awk on
/etc/passwd, but this is for sure not very portable since not all
system use the same format for /etc/passwd..  (let me guess Hurd uses
something totally different :)

-- 
Ethan Benson

Reply to:

Follow-Ups:
- Re: mandb wrapper scripts
  - From: Ethan Benson <erbenson@alaska.net>

References:
- mandb wrapper scripts
  - From: Ethan Benson <erbenson@alaska.net>
- Re: mandb wrapper scripts
  - From: Fabrizio Polacco <fab@prosa.it>
- Re: mandb wrapper scripts
  - From: Ethan Benson <erbenson@alaska.net>
- Re: mandb wrapper scripts
  - From: Marcus Brinkmann <Marcus.Brinkmann@ruhr-uni-bochum.de>
- Re: mandb wrapper scripts
  - From: Fabrizio Polacco <fab@prosa.it>
- Re: mandb wrapper scripts
  - From: Petr Cech <cech@atrey.karlin.mff.cuni.cz>
- Re: mandb wrapper scripts
  - From: Fabrizio Polacco <fab@prosa.it>

Prev by Date: Re: Bug#57218: /usr/local erased
Next by Date: Re: mandb wrapper scripts
Previous by thread: Re: mandb wrapper scripts
Next by thread: Re: mandb wrapper scripts
Index(es):
- Date
- Thread