From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <m.novosyolov@rosalinux.ru>
X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on
 sa.local.altlinux.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
 DKIM_VALID,DKIM_VALID_AU,RP_MATCHES_RCVD autolearn=unavailable
 autolearn_force=no version=3.4.1
DKIM-Filter: OpenDKIM Filter v2.10.3 mail.rosalinux.ru E40F0CD56DFB2
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rosalinux.ru;
 s=A1AAD92A-9767-11E6-A27F-AC75C9F78EF4; t=1597006210;
 bh=MUCDNtIe17solD3wxEv/cdJfrrpWMM57IHMg6QvNV0Q=;
 h=Date:MIME-Version:To:From:Message-ID;
 b=WYTFNdvZPVG+FcfB4LnABWFJZciMOauDzF4gfPfVDz00qQZm++PYwt4Rd2luNPDUc
 FpJeReQUYjRKPakd+IhJ71+/5jtC0MFNOshv8zP65tbKTkUriOLtxLla0Aiefrhmfg
 KUQi5imv8mOCEKuadjaQHYkxVZzUy01CZiHH9dkbIwxz/VJY3GbrRundl95Vox4jQc
 UIxRwHbFYTSnQsPmoW1aDBsbKIie7uF2Ep0SqGdUtygrAxCWC2ZrcSLqk6oDuPE1t/
 W5z3+DxSzv/a0++3wi+IpIOEYpek1jHkhNH6ncJ9JNL3FemO31Vhreif7YJyTWf5lV
 C0vVjt5gU5BPA==
X-Virus-Scanned: amavisd-new at rosalinux.ru
Date: Sun, 09 Aug 2020 23:50:07 +0300
User-Agent: K-9 Mail for Android
In-Reply-To: <20200809160847.dm5pi6jycm3x767q@comp-core-i7-2640m-0182e6>
References: <019c50c1-6190-700c-3c32-03b84973ee2b@rosalinux.ru>
 <20200809160847.dm5pi6jycm3x767q@comp-core-i7-2640m-0182e6>
MIME-Version: 1.0
Content-Type: text/plain;
 charset=utf-8
Content-Transfer-Encoding: quoted-printable
To: Alexey Gladkov <gladkov.alexey@gmail.com>,
 Linux console tools development discussion <kbd@lists.altlinux.org>
From: Mikhail Novosyolov <m.novosyolov@rosalinux.ru>
Message-ID: <3F10EDD9-6CBE-4E6E-AD4F-9260C6856C4A@rosalinux.ru>
X-Mailman-Approved-At: Mon, 10 Aug 2020 12:11:14 +0300
Subject: Re: [kbd] [PATCH] vlock: allow sudo user to unlock his session
X-BeenThere: kbd@lists.altlinux.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: Linux console tools development discussion <kbd@lists.altlinux.org>
List-Id: Linux console tools development discussion <kbd.lists.altlinux.org>
List-Unsubscribe: <https://lists.altlinux.org/mailman/options/kbd>,
 <mailto:kbd-request@lists.altlinux.org?subject=unsubscribe>
List-Archive: <http://lists.altlinux.org/pipermail/kbd>
List-Post: <mailto:kbd@lists.altlinux.org>
List-Help: <mailto:kbd-request@lists.altlinux.org?subject=help>
List-Subscribe: <https://lists.altlinux.org/mailman/listinfo/kbd>,
 <mailto:kbd-request@lists.altlinux.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Aug 2020 20:50:15 -0000
Archived-At: <http://lore.altlinux.org/kbd/3F10EDD9-6CBE-4E6E-AD4F-9260C6856C4A@rosalinux.ru/>
List-Archive: <http://lore.altlinux.org/kbd/>



9 =D0=B0=D0=B2=D0=B3=D1=83=D1=81=D1=82=D0=B0 2020 =D0=B3=2E 19:08:47 GMT+0=
3:00, Alexey Gladkov <gladkov=2Ealexey@gmail=2Ecom> =D0=BF=D0=B8=D1=88=D0=
=B5=D1=82:
>On Sat, Aug 01, 2020 at 04:19:59PM +0300, Mikhail Novosyolov wrote:
>>=20
>> https://github=2Ecom/legionus/kbd/pull/45
>>=20
>>=20
>> If a non-root user ran sth like "sudo -i" and vlock'ed from inside
>it,
>> then that user himself should be able to unlock his console=2E
>>=20
>> [user@HP-Elite-7300 tmp]$ echo $LOGNAME
>> user
>> [user@HP-Elite-7300 tmp]$ sudo -i
>> root@HP-Elite-7300:~# echo $LOGNAME
>> root
>> root@HP-Elite-7300:~# echo $SUDO_USER
>> user
>> root@HP-Elite-7300:~#
>>=20
>> Tested on rosa2019=2E1 + kbd 2=2E2=2E0 + this patch:
>> [root@rosa-2019 kbd]# su - user
>> [user@rosa-2019 ~]$ sudo -i
>> [sudo] password for user:
>> [root@rosa-2019 ~]# vlock
>> =D0=94=D0=B0=D0=BD=D0=BD=D0=BE=D0=B5 =D1=83=D1=81=D1=82=D1=80=D0=BE=D0=
=B9=D1=81=D1=82=D0=B2=D0=BE tty (console) =D0=BD=D0=B5 =D1=8F=D0=B2=D0=BB=
=D1=8F=D0=B5=D1=82=D1=81=D1=8F =D0=B2=D0=B8=D1=80=D1=82=D1=83=D0=B0=D0=BB=
=D1=8C=D0=BD=D0=BE=D0=B9 =D0=BA=D0=BE=D0=BD=D1=81=D0=BE=D0=BB=D1=8C=D1=8E=
=2E
>> =D0=91=D0=BB=D0=BE=D0=BA=D0=B8=D1=80=D0=BE=D0=B2=D0=BA=D0=B0 console =
=D1=83=D1=81=D1=82=D0=B0=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0 user=2E
>> =D0=9F=D0=B0=D1=80=D0=BE=D0=BB=D1=8C:
>> [root@rosa-2019 ~]#
>> sudo root session was successfully unlocked with user's password=2E
>> [root@rosa-2019 ~]# unset SUDO_USER
>> [root@rosa-2019 ~]# vlock
>> =D0=94=D0=B0=D0=BD=D0=BD=D0=BE=D0=B5 =D1=83=D1=81=D1=82=D1=80=D0=BE=D0=
=B9=D1=81=D1=82=D0=B2=D0=BE tty (console) =D0=BD=D0=B5 =D1=8F=D0=B2=D0=BB=
=D1=8F=D0=B5=D1=82=D1=81=D1=8F =D0=B2=D0=B8=D1=80=D1=82=D1=83=D0=B0=D0=BB=
=D1=8C=D0=BD=D0=BE=D0=B9 =D0=BA=D0=BE=D0=BD=D1=81=D0=BE=D0=BB=D1=8C=D1=8E=
=2E
>> =D0=91=D0=BB=D0=BE=D0=BA=D0=B8=D1=80=D0=BE=D0=B2=D0=BA=D0=B0 console =
=D1=83=D1=81=D1=82=D0=B0=D0=BD=D0=BE=D0=B2=D0=BB=D0=B5=D0=BD=D0=B0 root=2E
>> =D0=9F=D0=B0=D1=80=D0=BE=D0=BB=D1=8C:
>> root password is requested without $SUDO_ENV=2E
>
>I don't like the idea of implicitly changing the user through
>environment
>variables=2E

I also don't like it, but don't see much difference with setting LOGNAME=
=3Dvasya before running vlock and then being unable to unlock the console w=
ithout root due to fallback to uid=3D0=2E=2E=2E

> SUDO_USER can be exposed accidentally or leak into the
>environment due to an error=2E In this case, you will lock the console
>without being able to unlock=2E
>
>Also, your patch will not allow you to block the console by another
>user
>or by root=2E

What do you mean?

>
>> Another vlock implementation [1, 2] does not check that UIDs match,
>> I do not see sense in this check, removing it to make what I want
>work=2E
>>=20
>> [1] Another vlock implementation: https://github=2Ecom/WorMzy/vlock
>> [2] My similar patch for it:
>https://github=2Ecom/mikhailnov/vlock/commit/ba38d5d563cdfaad3b2f260248b3=
434c235a7afd
>> ---
>> =C2=A0src/vlock/username=2Ec | 17 +++++++++--------
>> =C2=A01 file changed, 9 insertions(+), 8 deletions(-)
>>=20
>> diff --git a/src/vlock/username=2Ec b/src/vlock/username=2Ec
>> index a26a148=2E=2E4c6d295 100644
>> --- a/src/vlock/username=2Ec
>> +++ b/src/vlock/username=2Ec
>> @@ -40,17 +40,18 @@ get_username(void)
>> =C2=A0{
>> =C2=A0=C2=A0=C2=A0 =C2=A0const char *name;
>> =C2=A0=C2=A0=C2=A0 =C2=A0struct passwd *pw =3D 0;
>> +=C2=A0=C2=A0 =C2=A0char *logname =3D NULL;
>> =C2=A0=C2=A0=C2=A0 =C2=A0uid_t uid=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=
=C2=A0=C2=A0 =3D getuid();
>> =C2=A0
>> -=C2=A0=C2=A0 =C2=A0char *logname =3D getenv("LOGNAME");
>> +=C2=A0=C2=A0 =C2=A0/* If a non-root runs a sudo session, ask for user'=
s
>> +=C2=A0=C2=A0 =C2=A0 * password to unlock it, not root's password */
>> +=C2=A0=C2=A0 =C2=A0logname =3D getenv("SUDO_USER");
>> +=C2=A0=C2=A0 =C2=A0if (logname =3D=3D NULL)
>> +=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0logname =3D getenv("LOGNAME");
>> =C2=A0
>> -=C2=A0=C2=A0 =C2=A0if (logname) {
>> -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0pw =3D getpwnam(logname);
>> -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0/* Ensure uid is same as current=
=2E */
>> -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0if (pw && pw->pw_uid !=3D uid)
>> -=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0pw =3D 0;
>> -=C2=A0=C2=A0 =C2=A0}
>> -=C2=A0=C2=A0 =C2=A0if (!pw)
>> +=C2=A0=C2=A0 =C2=A0pw =3D getpwnam(logname);
>> +
>> +=C2=A0=C2=A0 =C2=A0if (!pw && uid)
>> =C2=A0=C2=A0=C2=A0 =C2=A0=C2=A0=C2=A0 =C2=A0pw =3D getpwuid(uid);
>> =C2=A0
>> =C2=A0=C2=A0=C2=A0 =C2=A0if (!pw)
>> --=20
>>=20
>> Please CC me when replying, I am not subscribed to
>kbd@lists=2Ealtlinux=2Eorg
>> The same patch was submited as a pull request on Github:
>https://github=2Ecom/legionus/kbd/pull/45
>>=20
>> _______________________________________________
>> kbd mailing list
>> kbd@lists=2Ealtlinux=2Eorg
>> https://lists=2Ealtlinux=2Eorg/mailman/listinfo/kbd

--=20
=D0=9F=D1=80=D0=BE=D1=81=D1=82=D0=B8=D1=82=D0=B5 =D0=B7=D0=B0 =D0=BA=D1=80=
=D0=B0=D1=82=D0=BA=D0=BE=D1=81=D1=82=D1=8C, =D1=81=D0=BE=D0=B7=D0=B4=D0=B0=
=D0=BD=D0=BE =D0=B2 K-9 Mail=2E