On Sun, Aug 05, 2018 at 10:35:34AM +0200, Martin Steigerwald wrote:
> ownership preserved. However, for accessing the remote servers it needs
> access to the SSH agent running in the user session. The backup scripts
> uses commands that are in "sbin" related directories.
This is common misunderstanding with su/sudo.
su(1) creates a new *session* -- it means all the PAM stuff, all
logging, extra session parent process, etc. It's almost always
overkill to use such commands if all you need is a different UID.
> And then: How to implement a backup script that needs root access for
> most operations, but also requires access to SSH agent from a user
> setup? Dig out the environment variables of the SSH agent myself? Let
> the script run as a user and use "setprivs" that is mentioned as
> recommend in the "su" manpage, yet is in a different package altogether
> and not part of "util-linux".
setpriv(1) is the right choice and it's part of util-linux (at least
in upstream tree).
> Also… login.defs manpage from shadow project does not mention
> "ALWAYS_SET_PATH", but manpage of su from util-linux does mention it.
> And there does not appear to be a manpage about "login.defs" in "util-
> linux" package at all. (I found before that there appears to be a huge,
> big mess about some things in "util-linux", some in "shadow" and some in
> both).
"login.defs" is shared between many projects and tools. We have all
related options described in tool specific man pages -- for example in
su(1).
Karel
--
Karel Zak <kzak@xxxxxxxxxx>
http://karelzak.blogspot.com
--
To unsubscribe from this list: send the line "unsubscribe util-linux" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
