`su' from `sys-apps/shadow' package cannot be used for users with invalid shells (`/bin/false', `/dev/null', etc.). `su' at least in Debian, Ubuntu, Knoppix, RedHat, Fedora Core and SuSE distributions have `-s' command-line option for these users to specify login shell as well as `-p' for preserve environment variables. These distributions use sh-utils and its successor coreutils. This was reported even in early 2003 but our `su' still lacks those features. P.S. I know this bug is dup 15014 but seems noone want reopen this bug. Reproducible: Always Steps to Reproduce: 1. su -c 'ls -l' nobody Actual Results: (none) Expected Results: listing of /
Created attachment 64035 [details] patch for coreutils patchset This patch enables `su' in coreutils package.
Created attachment 64036 [details, diff] coreutils ebuild patch Patch for `coreutils-5.2.1-r6.ebuild' for enabling `pam' support in `su'
I test this patches with and whitout `acl' use flags. Works fine for me. Patches for shadow package not ready yet. I think I'll make them next week.
Created attachment 64038 [details, diff] coreutils ebuild patch More pam staff from shadow ebuild
Created attachment 64039 [details] pam file for su pam file for su
Created attachment 64040 [details] pam file for su (openpam) pam file for su
How about adding those options to shadow's su rather? su from coreutils have really unmainted pam support, and as such I'd rather not us it.
As I know debian has patches for shadow's `su' but I busy for now and cannot check this. I reply with more details when I have more free time to investigate.
yeah, like az said, we're not interested in using `su` from coreutils ... debian uses `su` from shadow so if their su supports these options its prob because they patched them in ...
Debian's `shadow' source package is heavily patched - patch is about 6 MB. This patch is for 4.0.3 version only for now and I cannot port it to 4.0.7 :( I can post patch for `su.c' and manpages here if you want to try. Using `su' from `coreutils' is much more easy - pam support mantained by all major distros and available for recent version of coreutils. `su' from shadow maintained by debian/ubuntu only as I know.
IMHO: su's (-s /bin/sh -c "...") syntax is needed for almost any commercial software installer running on Linux. Therefore it would be preferable to have at least a dummy syntax supporting "-s /bin/sh". As long as "gentoo's su" lacks this support it'll be hard for gentoo to become a supported distribution by commercial software companies.
upstream is already looking into adding the GNU su features into shadow
Created attachment 66724 [details] shadow-4.0.11.1-GNU-su.tar.bz2 Well, I did port the patches, and did some formatting/bug addition patches. I also did send this upstream, but unlike usual, they have not come back. I will do like to note that its still very rough, and that I did try to do it to show what the Debian patches did. I however add this for now in case.
upstream shadow has been adding more and more of these features with each release 4.0.14 for example has both "--preserve-environment" and "--login"