su and runuser
Jeff Vian
jvian10 at charter.net
Wed Sep 27 01:22:48 UTC 2006
On Tue, 2006-09-26 at 15:58 -0500, Aaron Konstam wrote:
> On Tue, 2006-09-26 at 15:13 +0100, Paul Howarth wrote:
> > Aaron Konstam wrote:
> > > On Tue, 2006-09-26 at 13:46 +0100, Paul Howarth wrote:
> > >> Tim wrote:
> > >>> On Mon, 2006-09-25 at 15:45 -0400, Steven W. Orr wrote:
> > >>>> After all that, if it works, please never use su the way you described
> > >>>> above. At the very least use su - -c etc...
> > >>> Having seen that in another topic, made me wonder about something I'm
> > >>> doing. My /etc/rc.local file has a string of lines in it like the
> > >>> following: su tim -c "/usr/bin/fetchmail -d 900"
> > >>>
> > >>> Should I be doing it like this, instead:
> > >>> su - tim -c "/usr/bin/fetchmail -d 900"
> > >> Or even:
> > >>
> > >> /sbin/runuser tim -c "/usr/bin/fetchmail -d 900"
> > >>
> > > I am a little confused about runuser. Anyone can run it and the man page
> > > says it does not ask for a passwd. That seems like a security hole.
> >
> > Where does it say that anyone can run it? It just fails rather than
> > prompting for a password. This is useful behaviour in scripts where a
> > password prompt might cause a script to hang, whereas a simple failure
> > can be catered for.
> >
> > Paul.
> You are actually correct and I am being difficult. I am referring to the
> fact that the permissions on runuser are 755 which would imply that it
> can be run by anyone.
Of course it can be run by anyone. It checks internally to see who is
running it to decide what permissions it grants.
The su command does the same, as do most of the system-config-xxxx progs
so they know how to act based on who called the program.
More information about the fedora-list
mailing list