[Popcon-developers] Bug#429405: Wrong usage of su in /etc/cron.weekly/popularity-contest (New bug)

Klaus Ethgen Klaus at Ethgen.de
Mon Jun 18 17:53:17 UTC 2007


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello Bill,

Am Mo den 18. Jun 2007 um 17:53 schrieb Bill Allombert:
> It is not the case on Debian by default:
> nobody:*:65534:65534:nobody:/nonexistent:/bin/sh

That's true but it is not as save as I wanna have it on my systems. (All
system users on my system have /bin/sh if no special reason give other.)

> Furthermore the point of user nobody is to be able to run process
> that have no file access permission outside 'other' (since no files are
> owned by user or group nobody). If you preclude it from running
> programs, then this user is useless. If nobody does not have a default
> shell, every usage of 'su nobody' must hard-code a shell instead of
> following /etc/passwd. This is generally a bad thing. Only root can 'su
> nobody' anyway. 

That is incorrect. If you have to call something as nobody you know the
shell where it has to run under. Also I never ever want a normal user to
su to nobody at all! Moreover nobody has ever to run a interactive shell
as user nobody! So there is no need for a shell for this user. It is
only a security problem IF the user nobody has a shell and a server like
i.e. the webserver has a security flaw when running code as user nobody
the attacker has a shell for free (Sure with no home but there is other
places where also nobody can write to)! So never give nobody a shell.

By the way, also if I give him a shell, how can you be sure that calling
/bin/sh from this shell is allowed? Or maybe it has other syntax to call
such a shell.

And it is not useless at all as every cron job can use su -s /bin/sh (or
/bin/bash or /usr/bin/perl ... as you wish). This is also the case with
/etc/cron.weekly/popularity-contest. You still select a shell explicit.
Why not selecting it by "su -s /bin/sh" which is more clean and the
safest way?

> /etc/cron.weekly/popularity-contest is not the only script to use 
> 'su nobody' without -s.

Uh, its the only one I know 'till now. But that only as side comment,
popcon should be better as all other software of course. ;-)

Best Regards
   Klaus
- -- 
Klaus Ethgen                            http://www.ethgen.de/
pub  2048R/D1A4EDE5 2000-02-26 Klaus Ethgen <Klaus at Ethgen.de>
Fingerprint: D7 67 71 C4 99 A6 D4 FE  EA 40 30 57 3C 88 26 2B
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iQEVAwUBRnbGjJ+OKpjRpO3lAQIUcQf/XpEf8CtQ8+Z/GlbLzLihzO2sazJm6imE
FxE231o18dS1OxthxyMcFWEfrFdQgUHk6b8ic8Vd6LtCjzKr+dNywESpadx8b1nF
0SRpoyXZE+5HhanK0wB3YFJJ9SB6T94We3Y4Id7wPdyuk9W30jVAjujwCg0y6GEC
uaFL1j86hKkoIV3LLOW//92dFjA+33HMrytumlK9G7eCfWGnqQmC7haa6sHjC+qX
OabL/XWyV+BWc5lS8B+nE6bF/1UD499ZdeYFxtNIIYK17V6J4mJIUBzSTOtE7tZ6
ziy0Eb4pJheDZ9WxbpSSNVa+Ax1nsIcCd3pEw+KOtClSFuTTk1ioZw==
=Ra4a
-----END PGP SIGNATURE-----




More information about the Popcon-developers mailing list