netbsd-users: Re: ksh won't read /etc/suid

Subject: Re: ksh won't read /etc/suid_profile
To: Andrew Basterfield <list@lostgeneration.fsnet.co.uk>
From: Greg A. Woods <woods@weird.com>
List: netbsd-users
Date: 05/20/2002 18:31:04

[ On Monday, May 20, 2002 at 16:38:01 (+0100), Andrew Basterfield wrote: ]
> Subject: Re: ksh won't read /etc/suid_profile
>
> I want to be root without a full login, but I still want to run a script
> to set my editing options when the new shell starts (like ~/.bashrc). It
> seems I can't do this with ksh.

What's wrong with typing ". ~andrew/.kshrc"?  :-)

> Maybe I'll start looking at the ksh sources now...

RTFM first....

Look into the meaning and use of the "ENV" variable.  Once you've done
that then continue reading this message....

In combination with the default behaviour of NetBSD's "su" command
leaving the majority of the environment variables alone, and so long as
you have /bin/ksh as root's shell, all the file pointed to by the ENV
variable will be sourced by the shell started by "su".

Be warned though that this is a _MAJOR_ security risk if you ever "su"
from an untrusted user's account.  Of course you should _NEVER_ just
"su" from any untrusted user's account anyway -- even explicitly typing
"/usr/bin/su" might not do what you think it should!  ;-)

	$ alias /usr/bin/su='echo "got you!"'
	$ /usr/bin/su
	got you!

Setting ENV "smartly" is the trick.  Personally I've always used what
David Korn himself suggested, as described in my ~/.kshlogin file:

	export ENVFILE=$HOME/.kshrc

	if [ -n "$ENVFILE" -a -r "$ENVFILE" ] ; then
		# the suggestion in the KornShell book says....
		#
		#export ENV='${ENVFILE[(_$-=0)+(_=1)-_${-%%*i*}]}'
		#
		# this one seems more correct, and I think was what Korn posted
		# to Usenet once upon a time (it also works with all the
		# versions of ksh I've run across, including ksh-85 and AIX-3.2)
		#
		export ENV='${ENVFILE[(_$-=1)+(_=0)-(_$-!=_${-%%*i*})]}'
	fi

which is of course read in to my login shell with the following snippit
from my ~/.profile:

	if [ ${RANDOM:-0} -ne ${RANDOM:-0} -a -z "${BASH}" ] ; then
		if [ -r $HOME/.kshlogin ] ; then
			. $HOME/.kshlogin
		fi
	elif ....

Full details here:

	ftp://ftp.weird.com/pub/local/dotfiles.tar.gz

-- 
								Greg A. Woods

+1 416 218-0098;  <gwoods@acm.org>;  <g.a.woods@ieee.org>;  <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>