#101895 use start-stop-daemon --chuid instead of su to drop privileges

Package:
findutils
Source:
findutils
Description:
utilities for finding files--find, xargs
Submitter:
Ethan Benson
Date:
2015-12-31 01:21:03 UTC
Severity:
wishlist
#101895#5
Date:
2001-06-22 09:22:36 UTC
From:
To:
updatedb uses su to drop privileges to nobody, this unfortunatly
creates useless log entries.  if updatedb were patched to use
start-stop-daemon --chuid instead of su these log entries would be
eliminated.

(this is also a very FAQ on -user and -security, `what is this SU ???
root-nobody, have i been hacked!' ...)

#101895#10
Date:
2001-06-22 17:33:59 UTC
From:
To:
I don't want to branch findutils with a separate version for Debian.
I'm willing to consider other alternatives.  start-stop-daemon is far
from universally available on Unix systems.  The command name is
misleading, since a daemon is not being run.

Perhaps a large part of the problem is the format of the su logging
message.  The message "root-nobody" could be root changing to nobody
or nobody changing to root.  The latter interpretation should be a
concern.  The former interpretation should not be a concern.  A
clearer log message would make it obvious that there isn't a reason
for concern.  If the log messages for su are useless, then why are the
log messages being made.

We can discuss this for a while and try to determine an alternative.
Otherwise, I will close the bug.

Ethan Benson <erbenson@alaska.net> writes:

#101895#15
Date:
2001-06-22 22:22:31 UTC
From:
To:
the log messages are useful, for real use of su by actual people, but
for a cron job its pointless.

a very small C program which does setgid(), initgroups(), setuid() but
no logging and no setuid bit.  updatedb could call that instead.

#101895#20
Date:
2001-06-23 00:12:51 UTC
From:
To:
Ethan Benson <erbenson@alaska.net> writes:

But then that program would have to be included with the distribution
of findutils, and it doesn't seem to belong there.  If updatedb were a
C program, it would be easier to solve this problem, but I'm not
likely to rewrite updatedb in the near future.  There might be a way
of modifying find so that it determines whether the files and
directories should be readable, but I'm afraid that this might
duplicate kernel code, and be an inaccurate representation of
accessibility.

Does su really need to log when root changes to another id?  Are you
requesting that the other cron jobs which change id by modified to
avoid the use of su?  I see man, mail, and postgres being logged by
PAM_unix, though only man is logged by su.  I do think that the su log
messages are somewhat obscure.

#101895#25
Date:
2001-06-23 02:02:40 UTC
From:
To:
Ethan Benson <erbenson@alaska.net> wrote:

Surely the problem is that PAM su creates useless log entries when root
switches to a non-root user.

#101895#30
Date:
2015-12-31 01:08:54 UTC
From:
To:
On Fri, 22 Jun 2001 01:22:36 -0800 Ethan Benson <erbenson@alaska.net> wrote:
 >
 > updatedb uses su to drop privileges to nobody, this unfortunatly
 > creates useless log entries. if updatedb were patched to use
 > start-stop-daemon --chuid instead of su these log entries would be
 > eliminated.
 >
 > (this is also a very FAQ on -user and -security, `what is this SU ???
 > root-nobody, have i been hacked!' ...)

One other solution could be the runuser command which is available in
debian since util-linux 2.24.2-1

Cheers,

Laurent Bigonville