how is "su" handled if user ...

Anonymous
2012-05-17
2013-08-03

  • Anonymous
    2012-05-17

    Hi, Im trying to understand how to resolve an issue

    I have a user "ssp" whose /etc/passwd line is

    ssp:x:10007:0::/home/ssp:/usr/bin/lshell
    

    problem is, when I do:

    [root@em_gem_WS ~]# su - ssp
    

    I am into lshell and i can do:

    ssp:~$ ssh-agent
    SSH_AUTH_SOCK=/tmp/ssh-dBPOE22756/agent.22756; export SSH_AUTH_SOCK;
    SSH_AGENT_PID=22757; export SSH_AGENT_PID;
    echo Agent pid 22757;
    ssp:~$
    

    and this is fine, BUT if beeing root I do

    [root@em_gem_WS ~]# su - ssp -c "ssh-agent"
    *** forbidden shell escape: "ssh-agent"
    This incident has been reported.
    

    To make a long(?) story short:

    executing

    su - username -c "command"

    where username is a user whose shell is lshell ends up forbidding any command, even if those commands are properly (i hope) configured into lshell.conf

    for completeness my lshell.conf for ssp is:

    [ssp]
    #allowed         : ['cd', 'history', 'll', 'mv', 'rm', 'version', 'export', 'ssh']
    allowed         : 'all' + ['ssh-agent']
    forbidden       : ['adduser', 'useradd', 'userdel', 'usermod', 'fdisk', 'help', 'mkfs', 'mkfs.ext2', 'mkfs.ext3', 'chown', 'chmod', 'chage', 'chgrp', 'chroot', 'chcat', 'su', 'cp /bin/sh', 'cp sh', 'cp /bin/bash', 'cp bash', 'cp /bin/csh', 'cp csh', 'cp /bin/ksh', 'cp ksh', 'cp /bin/tcsh', 'cp tcsh', '/bin/sh', './sh', '/bin/bash', './bash', '/bin/csh', './csh', '/bin/ksh', './ksh', '/bin/tcsh', './tcsh', 'cp /usr/bin/ssh', 'cp bin/ssh', 'cp ssh']
    warning_enabled : 'no'
    warning_counter : 20
    sudo_commands   : ['ssh-agent']
    timer           : 0
    env_path        : '/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin/:/sbin/'
    scp             : 1
    sftp            : 1
    overssh         : ['ls' , 'ssh-agent']
    
     
  • Hi,

    Thanks for reporting this.

    The "-c" is considered as a shell escape. I will see if it is possible to avoid this. Just in case I can help otherwise, what are trying to achieve?

    Cheers,
    Ignace M

     

  • Anonymous
    2012-05-17

    Hi Ignace, thanks for fast reply :)

    Im trying to execute "ssh-agent" from /etc/init.d/sshd script, but as user ssp, so my /etc/init.d/sshd looks like this:

    ...
    SSP_SSH_ENV="/home/ssp/.ssh/environment"
    SSP_SSH_SOCK="/home/ssp/agent_sock"
    function start_agent {
         su - ssp -c "ssh-agent" | grep -v ^echo | sed 's/SSH_/export SSH_/' | sed 's/\; export .*//' > "${SSP_SSH_ENV}"
         chown ssp: "${SSP_SSH_ENV}"
         chmod 600 "${SSP_SSH_ENV}"
         . "${SSP_SSH_ENV}" > /dev/null
         unlink "${SSP_SSH_SOCK}" > /dev/null
         ln -s ${SSH_AUTH_SOCK} ${SSP_SSH_SOCK}
    }
    # Source SSH settings, if applicable
    if [ -f "${SSP_SSH_ENV}" ]; then
         . "${SSP_SSH_ENV}" > /dev/null
         unlink "${SSP_SSH_SOCK}" > /dev/null
         ln -s ${SSH_AUTH_SOCK} ${SSP_SSH_SOCK}
         #ps ${SSH_AGENT_PID} doesn't work under cywgin
         ps -ef | grep ${SSH_AGENT_PID} | grep ssh-agent$ > /dev/null || {
             start_agent;
         }
    else
         start_agent;
    fi
    ...
    

    the problem occurs in line

    su - ssp -c "ssh-agent" | grep -v ^echo | sed 's/SSH_/export SSH_/' | sed 's/\; export .*//' > "${SSP_SSH_ENV}"
    

    where lshell does not allow to execute "ssh-agent"  when invoked from "su - ssp -c".

    Is there a dirt and quick workaround for this ? :)

    thanks again
    Giuseppe

     
  • An option would be to use sudo, like:

    ~# sudo -u foo whoami
    foo
    

    The only problem, is that this bypasses lshell. :)

     

  • Anonymous
    2012-05-17

    wow thats ok, i dont care it as long as it's just an init script, thanks for helping :)

     

  • Anonymous
    2013-02-14

    hi,

    Would it be possible to make the

    su - username -c "command"

    work because i really need to give mig limited shell a command. Or do any of you know a workaround that du not bypass the lshell.

    Regards,
    Mads

     
  • Unfornuately, this is not possible.