On Wed, 2011-08-17 at 09:30 -0500, Ted Toth wrote: > I've read that I should use runuser instead of su and I was having a > problem getting a script to transition properly until I changed it to > use runuser but I'm not clear on why this is. Can someone help me with > an elevator speech that I can use when trying to explain this to > others? runuser runs in the same uid (i.e. it is not setuid-root) and security context as the caller - it isn't a trusted application. It can only be used if the caller is already privileged. It never requires authentication, and thus can be easily used in non-interactive scripts. su is a setuid-root program that typically runs in a different security context than the caller so that it can read user authentication secrets (/etc/shadow) and switch identities even if the caller can't directly do so. Early versions of Fedora/RHEL also put pam_selinux into /etc/pam.d/su, causing it to explicitly switch to the new user's security context, but that was later removed. But even without that, there is a security context transition when you invoke su (to enter su's domain so that you can read /etc/shadow and switch uid) and when su invokes the user shell or command (to transition back to the original caller's domain). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
