LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 08-17-2006, 08:52 AM   #1
RachunZero
LQ Newbie
 
Registered: Aug 2006
Posts: 4

Rep: Reputation: 0
su command in init script blocks


I'm using a generic logging script from init:

exec sh -c "$*" 2>&1 | /usr/bin/logger -i -t `basename $1` -p info"

that i call like "syslog.sh oracle.sh" from another script installed with chkconfig.

oracle.sh performs

su - oracle -c "opmnctl startall"

init starts the logger, and i get a couple of messages in /var/log/messages, but then the su command blocks (I can see the su command with ps).

If I execute the exact same command interactively, it works fine, but from init, it blocks.

This also runs fine on AIX.

One thing I noticed is that I do get the "cannot relabel" pam selinux error when running interactively, but this is apparently normal.
 
Old 08-17-2006, 10:01 AM   #2
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
Could it be that the su is simply blocked on asking for the password?
Try logging the output of "whoami" just before the su call.
If it says that you're root, then you can su without submitting a password. Otherwise, su will stop when it asks for a password.

If it does say root, maybe there's a problem with your PAM/SELinux settings or something.
Since you mention that it runs fine on AIX ( a Unix variant, if I'm not mistaken), SELinux might indeed be the cause.

As an alternative, you could also try creating script to launch opmnctl. Chown it to user 'oracle' and give it setUID permission bit. In such a case, the 'su' will become unnecessary.
 
Old 08-17-2006, 10:48 AM   #3
soggycornflake
Member
 
Registered: May 2006
Location: England
Distribution: Slackware 10.2, Slamd64
Posts: 249

Rep: Reputation: 31
illogical train of thought, sorry.....

Last edited by soggycornflake; 08-17-2006 at 10:49 AM.
 
Old 08-21-2006, 07:57 AM   #4
RachunZero
LQ Newbie
 
Registered: Aug 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Thanks timmeke.

I checked and id shows root just before the su.

Do you know a way to debug selinux or this script? How can I even tell what is happening?
 
Old 08-22-2006, 02:01 AM   #5
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
If you're already running the commands as root, then su won't ask for a password normally.
But coming to think of it, root can run any command, including the opmctl command. So you could leave off the "su". Downside is that it'll run your command as root, rather than user "oracle".

Can you do an ls -l on the opmctl program? I'm guessing that there might be better alternatives than using "su" in this case. The SetUID permission bit, to be precise.

You may try running the command (su ...) in a subshell and catch all of it's output/error messages like this:
Code:
( su - oracle -c "opmnctl startall" 2>&1 ) > /tmp/test.log
I'm no expert in debugging/disabling SELinux. Maybe you can search the security forum for answers on that?

You might also try sending "su" a signal to quit (run it in the background, then use $! to get the process ID of the command, followed by a "kill" command to send the signal). This should stop it from blocking everything, and may also log/show some error messages, but it probably won't properly execute the command you want it to.
 
Old 08-22-2006, 04:18 AM   #6
RachunZero
LQ Newbie
 
Registered: Aug 2006
Posts: 4

Original Poster
Rep: Reputation: 0
Ahah!

That helped. It prints "Do you want to choose a different one? [n]" on stderr.

This is an seLinux question specific to redhat. They've integrated newrole and su... Now I have to find a way around this. I think using setuid is maybe the best, but I have to rethink things because some of the things need to be executed from root, some from Oracle.

Thanks for your help.
 
Old 08-22-2006, 04:30 AM   #7
RachunZero
LQ Newbie
 
Registered: Aug 2006
Posts: 4

Original Poster
Rep: Reputation: 0
The solution is to remove the "multiple" option in /etc/pam.d/su

on the line

session required /lib/security/$ISA/pam_selinux.so open multiple

The docs say that multiple means:

"Tells pam_selinux.so to allow the user to select the security context they will login with, if the user has more than one role."
 
  


Reply

Tags
exec, init, su


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
init script not running naz37 Programming 2 06-12-2006 01:50 PM
Shell script to compare blocks of strings? bruno buys Programming 10 04-15-2006 02:16 PM
using init command reetep Linux - Newbie 7 10-27-2003 03:11 PM
Script file to replace large text blocks in files? stodge Linux - Software 0 09-27-2003 10:53 AM
could use some help with my init.d script.... BrianK Linux - General 3 10-31-2002 07:21 PM


All times are GMT -5. The time now is 09:14 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration