CFEngine Help: commands with setuid environment

Sat, 17 Sep 2011 15:11:48 -0700 

Forum: CFEngine Help
Subject: commands with setuid environment
Author: neilhwatson
Link to topic: https://cfengine.com/forum/read.php?3,23529,23529#msg-23529

I'm experimenting with running commands as other users.  I'd like the command 
to have the other user's environment. The best I can come up with is this.

root@web:~/inputs# cat promises.cf 
body common control {

        bundlesequence => { "main" };

        inputs => { "cfengine_stdlib.cf" };
}

bundle agent main {

        commands:

                "/bin/su -c 'echo $HOME' neil"
                        contain => in_shell;
}

root@web:~/inputs# cf-agent -f ./promises.cf 
Q: ".../bin/su -c 'ech": /home/neil
I: Last 1 quoted lines were generated by promiser "/bin/su -c 'echo $HOME' neil"


I tried this, but as the manual says the environment is inherited which, at 
first glance, seems a shame. Is there a reason for this which I'm not seeing?


root@web:~/inputs# !cat
cat promises.cf 
body common control {

        bundlesequence => { "main" };

        inputs => { "cfengine_stdlib.cf" };
}

bundle agent main {

        commands:

                "/bin/echo $HOME"
                        contain => setuid_sh("neil");
}

root@web:~/inputs# cf-agent -f ./promises.cf 
Q: ".../bin/echo $HOME": /root
I: Last 1 quoted lines were generated by promiser "/bin/echo $HOME"


I tried this and things were very unexpected.

root@web:~/inputs# cat promises.cf 
body common control {

        bundlesequence => { "main" };

        inputs => { "cfengine_stdlib.cf" };
}

bundle agent main {

        commands:

                "/bin/su -c '/bin/echo $HOME' neil"
                        contain => setuid_sh("neil");
}

root@web:~/inputs# cf-agent -vf ./promises.cf 
....
cf3>    =========================================================
cf3>    commands in bundle main (1)
cf3>    =========================================================
cf3> 
cf3>  -> Promiser string contains a valid executable (/bin/su) - ok
cf3> 
cf3>     .........................................................
cf3>     Promise handle: 
cf3>     Promise made by: /bin/su -c '/bin/echo $HOME' neil
cf3>     .........................................................
cf3> 
cf3>  -> Executing '/bin/su -c '/bin/echo $HOME' neil' 
...(timeout=-678,owner=1000,group=-1)
cf3>  -> (Setting umask to 77)


And there it hangs.  I'm not sure what just happened. What are others doing 
when you wish to run commands as other users with their environment?

_______________________________________________
Help-cfengine mailing list
[email protected]
https://cfengine.org/mailman/listinfo/help-cfengine

Reply via email to