Re: two questions about su(1)

In reply to: list_freebsd_a_bluerosetech.com: "Re: two questions about su(1)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Dewayne Geraghty <dewayne_at_heuristicsystems.com.au>
Date: Thu, 26 Jun 2025 04:02:23 UTC

Paul,
Just expanding on bluerosetech's answer
Q 1.  The user needs to authenticate before su looks-up the class record 
for the user in login.conf.db. Are you using a class zsh? :)

Q 2. For example
su -c Bobs_class Alice -c "$Process $Args"
is very useful when testing (or running) Processes that you don't wont 
to run as root and would like to monitor process behaviour with 
different class attributes.

Using classes via login.conf helps (me) to restrict process behaviour. 
Its particularly useful when using jails, as the restrictions that you 
apply to a class are applied to the user logging into a jail - I 
typically use classes to change MAC labels, process priority, cpu and 
memory limits and open files.  For example
jexec -U Alice $Jail $Process
will use the class that Alice has been assigned (within the jail).

An example of a modified record in my login.conf
audit:\
         :openfiles=16:\
         :priority=-6:\
         :label=partition/3:\
         :tc=itsp:

su with classes is very useful mechanism.

Cheers.