[Pkg-shadow-devel] Bug#350040: acknowledged by developer (Bug
definitely not a bug)
Nicolas François
nicolas.francois at centraliens.net
Sat Mar 4 01:15:12 UTC 2006
Hello Jeffrey,
On Fri, Mar 03, 2006 at 04:35:50PM -0500, Jeffrey Sheinberg wrote:
> Debian Bug Tracking System writes:
> > After investigation and advices from the shadow maintenance team and
> > the upstream author, it has been concluded, mostly to Tomasz Klockzko
> > that this bug is not to be considered a bug.
> >
> > Haining root access should be made with su or sudo in these days where
> > login is PAMified.
>
> Hi,
>
> Please re-open this *bug*.
>
> I do not agree with your conclusion because long standing
> functional behavior is being arbitrarily removed.
I think the only change was the removal of the SUID bit on login.
The rationnal for doing this was to reduce the number of suid utilities
for security reasons.
Login is not (and was not) intended to be run directly by users, even if
it was mentionned in the man page.
> Note that I work from an xterm using an alternate root (uid=0)
> login.
It does not work from any terminal because there is no entry in the utmp
file. This is not a login issue (and this is not an issue at all).
It works by default with xterm, because the +ut option is used by default.
If you try with -ut, you won't be able to "exec login" from xterm neither.
logname uses getlogin to retrieve the login name. getlogin uses the utmp
file to retrieve the login name. It is fooled because the jsroot's session
is not closed, and so two sessions are open on the current terminal, as the
first one is open by jsroot, getlogin returns jsroot instead of jeff.
This behavior changed when CLOSE_SESSION became the default (this is
mandatory for a proper support of PAM sessions).
Maybe we can fix this (I'm not sure it is a bug).
> Using sudo as an alternative is out of the question.
>
> Using su is possible, but it can be easily detected when su is
> invoked with the --login option. So, is this a bug in su? And I
> don't yet know what other infelicities will be detected using su.
>
> I just want the prior *reasonable* and *well known* behavior of
> login to be restored.
I don't understand what you don't like in sudo or su.
> At the very least, please leave this bug open, even if you
> don't yet have plans to fix it.
The point is not that we don't plan to fix it. the point is that we do not
consider it as a bug.
Kind Regards,
--
Nekral
More information about the Pkg-shadow-devel
mailing list