In article <20070710213049.GA28633@moray.salmi.ch>,
Jukka Salmi  <j+nbsd@2007.salmi.ch> wrote:
>Hi,
>
>I'm having a problem with an rc script which sets ${name}_user to run
>the command as another user using su(1). While starting the command
>works fine, shutting it down doesn't.
>
>Since shutdown(8) is setuid root:operator I assume a non-root user in
>group `operator' should be allowed to shut down the system. Is this
>correct? However, this results in rc.shutdown being run as uid!=0 and
>euid==0. Nevertheless su(1) asks for a password when trying to kill
>the non-root process. Is this intended behaviour? If yes, rc.subr
>should probably be changed to kill _all_ process as root, not only
>those not setting ${name}_user.
>
>To reproduce the core of the problem:
>
>$ id
>uid=1000(jukka) gid=1000(jukka) groups=1000(jukka),0(wheel),5(operator),[...]
>$ sudo cp /bin/ksh /
>$ sudo chown 0:0 /ksh
>$ sudo chmod 4554 /ksh
>$ /ksh
># id
>uid=1000(jukka) gid=1000(jukka) euid=0(root)
>groups=1000(jukka),0(wheel),5(operator),[...]
># su -m daemon -c id     
>Password:
>
>This works as expected for root:
>
>$ sudo su -
>[...]
># id
>uid=0(root) gid=0(wheel) groups=0(wheel),[...]
># su -m daemon -c id
>uid=1(daemon) gid=1(daemon) groups=1(daemon)
>
>So, what should be fixed? su(1), rc(8) or my understanding of them?

Make the setuid program set the real id to 0 before exec'ing su.

christos