danwalsh


Dan Walsh's Blog

Got SELinux?


Previous Entry Add to Memories Share Next Entry
runuser versus su
danwalsh

Many years ago, we noticed SELinux having problems with the su command.  Many confined domains were using su to switch user from root to some non privileged user.  But this would generate lots of bogus SELinux errors such as:

Domain X_t wants to getattr on the fingerprint device or look at the pid file of the Smart Card reader. 

su using the pam_stack was the cause of these errors.  Depending on which pam_modules you had in the /etc/pam.d/su configuration, certain access would be checked.  Services using su do not want/need these side effects of using the pam stack.  SELinux policy writers do not want to allow the access or add dontaudit rules all over the place.

In order to fix this, we built a new application called runuser.  runuser is actually built from the su.c source code.  You just define the RUNUSER constant when compiling su.c.  Basically runuser is just the su command with the pam stack removed as well as verifying the command is running as root, not setuid.

Whenever an service is running as root and wants to change UID using the shell it should use runuser.

When you are logged in to a shell as a user and want to become root, you should use su.  (Or better yet sudo)


No HTML allowed in subject

  
 
   
 

(will be screened)

You are viewing danwalsh