login -f changing session getlogin(2)
Bryan Drewery
bdrewery at FreeBSD.org
Sat Oct 3 17:28:04 UTC 2015
On 10/3/2015 10:12 AM, Simon J. Gerraty wrote:
> Hi Bryan
>
>>>> It makes me wonder if there's bigger architectural issues here that need
>>>> addressing with session and login. Perhaps login -f is just a special
>>>> case though.
>
> As others have indicated your use of 'login -f' is "unexpected".
>
>> Well, none of that is documented or its use discouraged. It has been
>
> People document what they expect others need to know - and that is
> framed by their own expectations of usage.
> Thus lack of a documented admonition against every possible usage, does
> not constitute a guarantee of support.
>
> When eventually someone uses something in an "unexpected" way,
> and encounters problems, there are basically three options.
>
> 1/ document that that should not be done, or that problems may arise
>
> 2/ prevent it being done
>
> 3/ make it work
>
>> And actually, 'su -l' NOT calling setlogin(2) is another surprise. I
>> have used 'login -f' precisely because it simulates a real login and
>> sets up the environment as the user. If I am dropping into a user's
>> shell I expect things like 'mail' to have their FROM not root or
>> wherever I came from in my session.
>
> Masquerading as another user to that extent, sounds somewhat disturbing
> actually, and not something that should really be optimized for.
>
> So I'd guess in this case that #1 is the correct option.
>
This still ignores that 'su -l' does the opposite.
Sometimes sysadmins need to masquerade as users for support. Having a
user hand over their SSH password, or adding a password to a service
user that should NOT have remote access, is not the answer. There needs
to be a way to login fully as a user for debugging issues as that user.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20151003/985903b1/attachment.bin>
More information about the freebsd-arch
mailing list