http://www.berklix.com/~jhs/src/bsd/fixes/freebsd/src/gen/rescue/suid/su.README https://lists.freebsd.org/pipermail/freebsd-current/2018-July/070158.html Hi current@ I want to add su to /rescue, but got stuck on pam. Old unix su didn't suffer from pam. There's no #define in su to turn off pam. Man src.conf says WITHOUT_PAM is deprecated & does nothing. Can someone please offer a solution ? Or better to include a simple BSD su pre pam ? I would happily develop a patch for that. Notes to explain the need, & patches from my http://www.berklix.com/~jhs/src/bsd/fixes/freebsd/src/gen/rescue/ --------- Patch[es] below to solve this emailed scenario: > Please on prison-host cp /lib/libc.so.7 /tank/ezjail/my-domain/lib/libc.so.7 > I am logged in on jail-host, but only as normal-user, not root, so I cannot run > /rescue/cp /usr/obj/usr/src/lib/libc/libc.so.7 /lib/libc.so.7 > > a my make installworld on jail-host.my-domain previously failed with > ===> lib/libc (install) > install -C -o root -g wheel -m 444 libc.a /usr/lib > install -C -o root -g wheel -m 444 libc_p.a /usr/lib > install -s -o root -g wheel -m 444 -fschg -S libc.so.7 /lib > install: /lib/libc.so.7: chflags: Operation not permitted > *** Error code 71 > (might or not be an artifact of being in a jail) > > unfortunately I had run the command as > xs make installworld > (xs is my own little root wrapper) > so when it exited, I was just normal-user not root, & I had forgotten to > open another xterm & leave it logged in as root, > & I found no /rescue/su *** 12.0-CURRENT/usr/src/rescue/rescue/Makefile.orig Tue Jun 19 14:43:47 2018 --- new-generic/usr/src/rescue/rescue/Makefile Mon Jul 9 12:21:47 2018 *************** *** 188,193 **** --- 188,195 ---- CRUNCH_PROGS_usr.bin+= less CRUNCH_ALIAS_less= more + CRUNCH_PROGS_usr.bin+= su + CRUNCH_PROGS_usr.bin+= xz CRUNCH_ALIAS_xz= unxz lzma unlzma xzcat lzcat ----- Patch above fails with: cc -O2 -pipe -DBERKLIX=YES -std=gnu99 -Qunused-arguments -static -o reue rescue.o cat.lo chflags.lo chio.lo chmod.lo cp.lo date.lo dd.lo df.lo echo. ed.lo expr.lo getfacl.lo hostname.lo kenv.lo kill.lo ln.lo ls.lo mkdir.lo mv. pkill.lo ps.lo pwd.lo realpath.lo rm.lo rmdir.lo setfacl.lo sh.lo sleep.lo st.lo sync.lo test.lo csh.lo camcontrol.lo clri.lo devfs.lo dmesg.lo dump.lo dums.lo dumpon.lo fsck.lo fsck_ffs.lo fsck_msdosfs.lo fsdb.lo fsirand.lo gbde.lo om.lo ifconfig.lo init.lo kldconfig.lo kldload.lo kldstat.lo kldunload.lo ldcoig.lo md5.lo mdconfig.lo mdmfs.lo mknod.lo mount.lo mount_cd9660.lo mount_msdos.lo mount_nfs.lo mount_nullfs.lo mount_udf.lo mount_unionfs.lo newfs.lo newfssdos.lo nos-tun.lo ping.lo reboot.lo restore.lo rcorder.lo route.lo savecore.lshutdown.lo spppcontrol.lo swapon.lo sysctl.lo tunefs.lo umount.lo ccdconfig.lping6.lo rtsol.lo ipf.lo routed.lo rtquery.lo zfs.lo zpool.lo bsdlabel.lo fdislo dhclient.lo head.lo mt.lo sed.lo tail.lo tee.lo gzip.lo bzip2.lo less.lo suo xz.lo zstd.lo tar.lo nc.lo vi.lo id.lo iscsictl.lo zdb.lo chroot.lo chown.loscsid.lo /data/release/s1/usr/obj/data/release/s1/usr/src/amd64.amd64/rescue/rcue/../librescue/exec.o /data/release/s1/usr/obj/data/release/s1/usr/src/amd64md64/rescue/rescue/../librescue/getusershell.o /data/release/s1/usr/obj/data/rease/s1/usr/src/amd64.amd64/rescue/rescue/../librescue/login_class.o /data/relse/s1/usr/obj/data/release/s1/usr/src/amd64.amd64/rescue/rescue/../librescue/pen.o /data/release/s1/usr/obj/data/release/s1/usr/src/amd64.amd64/rescue/rescu../librescue/rcmdsh.o /data/release/s1/usr/obj/data/release/s1/usr/src/amd64.a64/rescue/rescue/../librescue/sysctl.o /data/release/s1/usr/obj/data/release/susr/src/amd64.amd64/rescue/rescue/../librescue/system.o -lcrypt -ledit -ljail kvm -lelf -ll -ltermcapw -lutil -lxo -l80211 -lalias -lcam -lncursesw -ldevsta-lipsec -llzma -lavl -lzpool -lzfs_core -lzfs -lnvpair -lpthread -luutil -lume-lgeom -lbsdxml -lkiconv -lmt -lsbuf -lufs -lz -lbz2 -lprivatezstd -larchive -rypto -lmd -lm /usr/bin/ld: error: undefined symbol: pam_start >>> referenced by su.lo:(_$$hide$$ su.lo main) /usr/bin/ld: error: undefined symbol: pam_set_item >>> referenced by su.lo:(_$$hide$$ su.lo main) Patch below does not solve problem above *** 12.0-CURRENT/usr/src/rescue/librescue/Makefile.orig Mon Jul 9 13:02:43 2018 --- new-generic/usr/src/rescue/librescue/Makefile Mon Jul 9 13:03:59 2018 *************** *** 16,21 **** --- 16,22 ---- .PATH: ${SRCTOP}/lib/libc/gen \ ${SRCTOP}/lib/libc/net \ ${SRCTOP}/lib/libc/stdlib \ + ${SRCTOP}/lib/libpam/libpam \ ${SRCTOP}/lib/libutil LIB= rescue --- changing libpam/libpam to libpam also fails --- Pending discussion of my post above, as interim measure I have edited install within http://www.berklix.com/~jhs/src/bsd/jhs/bin/public/xs/Makefile --- Guy Helmer pointed out if all /rescue/* were linked with suid 0 it would be a security loophole. So su is now provided seperately.