login -f changing session getlogin(2)
Bryan Drewery
bdrewery at FreeBSD.org
Sat Oct 3 20:14:35 UTC 2015
On 10/3/2015 12:51 PM, Simon J. Gerraty wrote:
> Bryan Drewery <bdrewery at FreeBSD.org> wrote:
>> This still ignores that 'su -l' does the opposite.
>
> The opposite of what?
> fwiw I'm not sure I'd want su - calling setlogin()
> but then I'm never trying to really masquerade as someone else to the
> extent that would matter.
I said this in another mail. su -l does not change logname, so things
like 'mail' send the mail as 'root' rather than the user.
su.1 claims to set USER to the target user. It does, but lacking the
documentation for a kernel implementation detail of logname it does not
convey that setting USER is not the full story.
So both login and su have unexpected behavior no matter how you look at it.
>
>> Sometimes sysadmins need to masquerade as users for support. Having a
>> user hand over their SSH password, or adding a password to a service
>> user that should NOT have remote access, is not the answer. There needs
>> to be a way to login fully as a user for debugging issues as that user.
>
> There are many ways to skin that cat (eg append your pub key to their
> .ssh/authorized_keys)
> The easiest is to just use 'login -f' as you are doing, and when
> finished logout completely.
Why does SSH need to even be involved here? This is what I mean by
bigger issues.
--
Regards,
Bryan Drewery
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20151003/101c2e11/attachment.bin>
More information about the freebsd-arch
mailing list