Re: mandb wrapper scripts
On Tue, Feb 08, 2000 at 01:46:56PM +0200, Fabrizio Polacco wrote:
>
> The other two issues still open are:
>
> * Not all the ports has su -s working.
> * local sysadm can disable shell of user nobody.
>
> # After executing
> [ `id -u` = 0 ] || exec ${cmd}
> # we are sure we are root.
> # Now we can test for nobody's shell:
> su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
> # At this point we know that nobody has no shell.
> # we need su -s but we have to test it before.
> su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
> # everything failed: no shell and no su -s ... use less-secure user man.
> exec su man -c ${1+"$cmd"}
>
>
> The script:
> #!/bin/sh -e
> pgm=`basename $0`
> edir=/usr/lib/man-db
> cmd="${edir}/${pgm} ${1+$@}"
> [ `id -u` = 0 ] || exec ${cmd}
> su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
> su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
> exec su man -c ${1+"$cmd"}
>
>
> a quick test before hitting y
> ...
> works!
sorry but I have to add one more patch ;-) if we use man with no
arguments we get su usage that would probably trigger a `wtf' fix
below:
#!/bin/sh -e
pgm=`basename $0`
edir=/usr/lib/man-db
cmd="${edir}/${pgm} ${1+$@}"
if [ $# = 0 ] ; then
echo "What manual page do you want?"
exit 1
fi
[ `id -u` = 0 ] || exec ${cmd}
su nobody -c "/bin/true" && exec su nobody -c ${1+"$cmd"}
su -s /bin/true 2>/dev/null && exec su -s /bin/sh nobody -c ${1+"$cmd"}
exec su man -c ${1+"$cmd"}
also one other problem, if the admin has set nobody's shell to
/bin/true instead of /bin/false then we will be fooled into thinking
our test succeeded when it really didn't, I tend to think this is not
too bad.. but perhap you should document this in the README.. I do
not think its unreasonable to ask the admin to use /bin/false instead
of /bin/true for nobody's bogus shell.
the only other way i can think to test for the shell is using awk on
/etc/passwd, but this is for sure not very portable since not all
system use the same format for /etc/passwd.. (let me guess Hurd uses
something totally different :)
--
Ethan Benson
Reply to: