danwalsh (danwalsh) wrote,

runuser versus su

Many years ago, we noticed SELinux having problems with the su command.  Many confined domains were using su to switch user from root to some non privileged user.  But this would generate lots of bogus SELinux errors such as:

Domain X_t wants to getattr on the fingerprint device or look at the pid file of the Smart Card reader. 

su using the pam_stack was the cause of these errors.  Depending on which pam_modules you had in the /etc/pam.d/su configuration, certain access would be checked.  Services using su do not want/need these side effects of using the pam stack.  SELinux policy writers do not want to allow the access or add dontaudit rules all over the place.

In order to fix this, we built a new application called runuser.  runuser is actually built from the su.c source code.  You just define the RUNUSER constant when compiling su.c.  Basically runuser is just the su command with the pam stack removed as well as verifying the command is running as root, not setuid.

Whenever an service is running as root and wants to change UID using the shell it should use runuser.

When you are logged in to a shell as a user and want to become root, you should use su.  (Or better yet sudo)


  • Container Domains (Types)

    One of the things people have always had a hard time understanding about SELinux is around different types. In this blog, I am going to discuss…

  • Musings on Hybrid Cloud

    I work on the lowest levels of container runtimes and usually around process security. My team and I work on basically everything needed run…

  • Container Labeling

    An issue was recently raised on libpod, the github repo for Podman. "container_t isn't allowed to access container_var_lib_t" Container policy…

  • Post a new comment


    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened