netbsd-users: Re: ksh won't read /etc/suid

Subject: Re: ksh won't read /etc/suid_profile
To: NetBSD User's Discussion List <netbsd-users@NetBSD.ORG>
From: Andrew Basterfield <list@lostgeneration.freeserve.co.uk>
List: netbsd-users
Date: 05/21/2002 01:48:24

--=.t?X3uwMf//wIrH
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

On Mon, 20 May 2002 18:31:04 -0400 (EDT)
woods@weird.com (Greg A. Woods) wrote:

> [ On Monday, May 20, 2002 at 16:38:01 (+0100), Andrew Basterfield wrote:
> ]
> > Subject: Re: ksh won't read /etc/suid_profile
> >
> > I want to be root without a full login, but I still want to run a
> > script to set my editing options when the new shell starts (like
> > ~/.bashrc). It seems I can't do this with ksh.
> 
> What's wrong with typing ". ~andrew/.kshrc"?  :-)

Unnecessary key presses. I would find it incredibly irritating to have to
do this every time I start ksh, and I would forget when I was in a hurry.

> <snip>
 
> In combination with the default behaviour of NetBSD's "su" command
> leaving the majority of the environment variables alone, and so long as
> you have /bin/ksh as root's shell, all the file pointed to by the ENV
> variable will be sourced by the shell started by "su".
> 
> Be warned though that this is a _MAJOR_ security risk if you ever "su"
> from an untrusted user's account.  Of course you should _NEVER_ just
> "su" from any untrusted user's account anyway -- even explicitly typing
> "/usr/bin/su" might not do what you think it should!  ;-)

Yes, but it is still something that has to be set from the calling
environment. As you pointed out this is a security risk & also I may not
be 'su'ing from an 'sh' compatible login shell in which case I would need
to export (or setenv) $ENV in a variety of places (a login 'C' shell or an
xterm spawned through xdm springs to mind). Not very tidy.

My ksh now always reads /etc/kshrc if it is non-restricted. Sorry if this
is sacrilege but I don't intend to inflict my patch on the rest of the
world.

thanks for the interesting info

--Andrew

-- 
sparc sun4c stuff:
	http://www.lostgeneration.freeserve.co.uk/sparc
PGP key for list@lostgeneration.freeserve.co.uk:
	http://www.lostgeneration.freeserve.co.uk/list.freeserve.co.uk.asc

--=.t?X3uwMf//wIrH
Content-Type: application/pgp-signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)

iD8DBQE86ZlcyYlchKHrWIURAgRjAJ9qtjfoFN3knZRUYUM3bUMleiJ8RgCaAzRU
D5zl/Aarh6xiI+Li58TMgJU=
=2+23
-----END PGP SIGNATURE-----

--=.t?X3uwMf//wIrH--