Why /usr/sbin is not in my root $PATH ?

classic Classic list List threaded Threaded
72 messages Options
1234
Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

Tixy-2
On Sat, 2019-02-23 at 15:27 +0100, Mart van de Wege wrote:
> Greg Wooledge <[hidden email]> writes:
>
> >
> > The problem with "su -" is that it strips out *all* of your
> > environment,
>
> That's a feature, not a bug. You *don't* want to import Joe Random
> User's environment into root's.

But it's not Joe Random User, it's Joe Sysadmin - unless you're in the
habit of giving root's password to everyone.

--
Tixy

Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

John Hasler-3
> But it's not Joe Random User, it's Joe Sysadmin

Worse.  Who is most likely to have put weird stuff in his environment?
--
John Hasler
[hidden email]
Elmwood, WI USA

Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

Mart van de Wege
John Hasler <[hidden email]> writes:

>> But it's not Joe Random User, it's Joe Sysadmin
>
> Worse.  Who is most likely to have put weird stuff in his environment?

And it's not as if sysadmins never log in as other users. Oh no.

Really, not using a clean, known environment as root is plain good
practice, and has been for years, if not actually decades.

Mart

--
"We will need a longer wall when the revolution comes."
--- AJS, quoting an uncertain source.

Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

Curt
On 2019-02-24, Mart van de Wege <[hidden email]> wrote:
>
> Really, not using a clean, known environment as root is plain good
> practice, and has been for years, if not actually decades.

Have you expressed the opposite of your intention here?

A clean, known environment sounds like something in one of those Mormon
pamphlets.

;-)

> Mart
>


--
When you have fever you are heavy and light, you are small and swollen, you
climb endlessly a ladder which turns like a wheel.
Jean Rhys, Voyage in the Dark

Reply | Threaded
Open this post in threaded view
|

[OT] Re: Why /usr/sbin is not in my root $PATH ?

David Wright-3
On Sun 24 Feb 2019 at 08:57:37 (-0000), Curt wrote:
> On 2019-02-24, Mart van de Wege <[hidden email]> wrote:
> >
> > Really, not using a clean, known environment as root is plain good
> > practice, and has been for years, if not actually decades.
>
> Have you expressed the opposite of your intention here?

Often accidentally done.

> A clean, known environment sounds like something in one of those Mormon
> pamphlets.

You mean somebody actually reads The Watchtower?

Cheers,
David.

Reply | Threaded
Open this post in threaded view
|

Re: [OT] Re: Why /usr/sbin is not in my root $PATH ?

Martin Smith-4
On 24/02/2019 15:39, David Wright wrote:

> On Sun 24 Feb 2019 at 08:57:37 (-0000), Curt wrote:
>> On 2019-02-24, Mart van de Wege <[hidden email]> wrote:
>>> Really, not using a clean, known environment as root is plain good
>>> practice, and has been for years, if not actually decades.
>> Have you expressed the opposite of your intention here?
> Often accidentally done.
>
>> A clean, known environment sounds like something in one of those Mormon
>> pamphlets.
> You mean somebody actually reads The Watchtower
actually old chap thats the Jehovah's Witnesses scare sheet :)
>
> Cheers,
> David.
>
>

--

Martin


Reply | Threaded
Open this post in threaded view
|

Re: [OT] Re: Why /usr/sbin is not in my root $PATH ?

David Wright-3
On Sun 24 Feb 2019 at 17:28:18 (+0000), Martin Smith wrote:

> On 24/02/2019 15:39, David Wright wrote:
> > On Sun 24 Feb 2019 at 08:57:37 (-0000), Curt wrote:
> > > On 2019-02-24, Mart van de Wege <[hidden email]> wrote:
> > > > Really, not using a clean, known environment as root is plain good
> > > > practice, and has been for years, if not actually decades.
> > > Have you expressed the opposite of your intention here?
> > Often accidentally done.
> >
> > > A clean, known environment sounds like something in one of those Mormon
> > > pamphlets.
> > You mean somebody actually reads The Watchtower
> actually old chap thats the Jehovah's Witnesses scare sheet :)

QED.

Cheers,
David.

Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

andreimpopescu
In reply to this post by Greg Wooledge
On Jo, 21 feb 19, 11:26:29, Greg Wooledge wrote:

> On Thu, Feb 21, 2019 at 04:14:53PM +0000, Jonathan de Boyne Pollard wrote:
> > You could point them to StackExchange in the meantime.  (-:
> >
> > * https://unix.stackexchange.com/a/460769/5132
>
> On that page:
> > Doing plain 'su' is a really bad idea for many reasons,
>
> Name one!  Seriously, what kind of inane statement is that?
>
> > If you want to restore behaviour more similar to the previous one you can
> > add 'ALWAYS_SET_PATH yes' in /etc/login.defs.
>
> OK, I'll just go to Debian's online man pages and find the buster
> man page for su (or login.defs) to find out what that is...
>
> ... hey, where's the buster man pages?
 
Normally there are links for testing and unstable, but in this case the
manpage is also in a different package:

https://manpages.debian.org/testing/util-linux/su.1.en.html

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

andreimpopescu
In reply to this post by Greg Wooledge
On Jo, 21 feb 19, 12:42:47, Greg Wooledge wrote:

> Well, for those who are interested, I've added some information to
> <https://wiki.debian.org/NewInBuster>.  I'm trusting that the
> ALWAYS_SET_PATH thing from that random web page was actually correct,
> because verification would take a lot of work.  It's a wiki, so someone
> else can correct it if it's wrong.
>
> When I linked to EnvironmentVariables I also found a section at the
> end of *that* page which describes the current behavior of su, so I
> updated that page slightly as well.
>
> I can't even begin to guess how many places assume the current su
> behavior or how difficult it will be to find and change them all.
You have studied this issue in great detail.

Would you care to submit a bug against release-notes with proposed
wording?

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

ghe-2
In reply to this post by ghe-2
On 2/21/19 11:12 AM, ghe wrote:

> Another Busterism, BTW: ping now requires root privileges. It does on my
> computer, anyway. Maybe I made a mistake when I installed -- somebody
> sure did.

Fix: 'alias ping="sudo ping"' in .bashrc. I'm on Buster too :-)

--
Glenn English

Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

andy smith-10
Hello,

On Sun, May 26, 2019 at 07:41:41AM -0600, ghe wrote:
> On 2/21/19 11:12 AM, ghe wrote:
>
> > Another Busterism, BTW: ping now requires root privileges. It does on my
> > computer, anyway. Maybe I made a mistake when I installed -- somebody
> > sure did.
>
> Fix: 'alias ping="sudo ping"' in .bashrc. I'm on Buster too :-)

After a normal install, /bin/ping should end up with the
capabilities such that it can do what it needs to do. These are:

$ getcap /bin/ping
/bin/ping = cap_net_raw+ep

If yours has not ended up with those capabilities, I think that is a
bug in whatever method of install you have used.

Glenn, and Andrei, do you do anything out of the ordinary to
install?

Myself I have seen this happen when untarring the operating system
as by default tar does not store or re-apply such capabilities.

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

andreimpopescu
On Lu, 27 mai 19, 02:15:49, Andy Smith wrote:
>
> Glenn, and Andrei, do you do anything out of the ordinary to
> install?
 
https://salsa.debian.org/amp-guest/pine64/blob/master/pine64_buildimage

> Myself I have seen this happen when untarring the operating system
> as by default tar does not store or re-apply such capabilities.

While I didn't mention it in this thread, ping had indeed somehow lost
its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed it.

Kind regards,
Andrei
--
http://wiki.debian.org/FAQsFromDebianUser

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Why /usr/sbin is not in my root $PATH ?

andy smith-10
Hello,

On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> On Lu, 27 mai 19, 02:15:49, Andy Smith wrote:
> >
> > Glenn, and Andrei, do you do anything out of the ordinary to
> > install?
>  
> https://salsa.debian.org/amp-guest/pine64/blob/master/pine64_buildimage

Seems it does a debootstrap, so it would be interesting to know if a
plain old debootstrap results in a /bin/ping with the correct
capabilities…

Cheers,
Andy

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Jason-4
In reply to this post by andreimpopescu
On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
>
> While I didn't mention it in this thread, ping had indeed somehow lost
> its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed it.

That worked for me (I'm not the OP) with Stretch on an ARM board. Before
running the above command, I could only ping as root or using sudo, now
I can ping as a normal user. Thanks!

>
> Kind regards,
> Andrei
> --
> http://wiki.debian.org/FAQsFromDebianUser


--
Jason

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

andy smith-10
Hi Jason,

On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
> On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> > While I didn't mention it in this thread, ping had indeed somehow lost
> > its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed it.
>
> That worked for me (I'm not the OP) with Stretch on an ARM board. Before
> running the above command, I could only ping as root or using sudo, now
> I can ping as a normal user. Thanks!

How did you install this system? Because /bin/ping is supposed to
come with file capabilities such that the user can allow it to do
what it needs to do (this is part of what 'dpkg-reconfigure
iputils-ping' restores). So it would be interesting to know how the
system was installed in case there is a general theme for those who
never got those capabilities.

One other person in this thread said they used (a script which
ultimately uses) debootstrap.

Cheers,
Andy

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Cindy Sue Causey
On 5/29/19, Andy Smith <[hidden email]> wrote:

> Hi Jason,
>
> On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
>> On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
>> > While I didn't mention it in this thread, ping had indeed somehow lost
>> > its capabilities on my system. 'dpkg-reconfigure iputils-ping' fixed
>> > it.
>>
>> That worked for me (I'm not the OP) with Stretch on an ARM board. Before
>> running the above command, I could only ping as root or using sudo, now
>> I can ping as a normal user. Thanks!
>
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.
>
> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.


Was sitting here reading through before responding. Debootstrap. I
JUST seconds ago finished running the first step, the initial download
and install, for that again. *having to rebuild my dotDeb cache, don't
wanna talk about it, smacking my head!*

Just searched and "iputils-ping" is already installed at the absolute
bare minimum debootstrap base level. I really didn't think that
package was installed because I don't ever remember encountering that
package name. That "ping" part would stand out to me, but it never
has... until just now.

So, yeah, at least for Debootstrap. "iputils-ping" is in there at the
absolute very first start where the Developers have picked the very
first packages that get the party started before the User then picks
everything else...

Cindy :)
--
Cindy-Sue Causey
Talking Rock, Pickens County, Georgia, USA

* Base system installed successfully. Works every time... as long
as... APT archives are not... cough.. symlinked instead of "mount -B".
*

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

andy smith-10
Hi Cindy,

On Wed, May 29, 2019 at 09:48:44PM -0400, Cindy Sue Causey wrote:
> So, yeah, at least for Debootstrap. "iputils-ping" is in there at the
> absolute very first start where the Developers have picked the very
> first packages that get the party started before the User then picks
> everything else...

That's not the issue at hand. The issue is whether the file
/bin/ping retains the file capabilities. People who have a /bin/ping
that only works as root are missing these:

$ getcap /bin/ping
/bin/ping = cap_net_raw+ep

If they didn't have the package installed at all then it would be a
very different and more obvious error that was presented.

So my question is, are installs done by debootstrap somehow losing
the file capabilities? I ask because in this thread, one of the
other people reporting a /bin/ping without the correct capabilities
did their install through debootstrap.

If you've just done a debootstrap, what does getcap return for the
/bin/ping that got installed?

Cheers,
Andy

--
https://bitfolk.com/ -- No-nonsense VPS hosting

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Gene Heskett-4
In reply to this post by andy smith-10
On Wednesday 29 May 2019 07:46:50 pm Andy Smith wrote:

> Hi Jason,
>
> On Wed, May 29, 2019 at 04:18:51PM -0500, Jason wrote:
> > On Mon, May 27, 2019 at 08:12:32AM +0300, Andrei POPESCU wrote:
> > > While I didn't mention it in this thread, ping had indeed somehow
> > > lost its capabilities on my system. 'dpkg-reconfigure
> > > iputils-ping' fixed it.
> >
> > That worked for me (I'm not the OP) with Stretch on an ARM board.
> > Before running the above command, I could only ping as root or using
> > sudo, now I can ping as a normal user. Thanks!
>
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.
>
> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.
>
> Cheers,
> Andy

the default $PATH the installer sets up for $users, apparently does not
include any of the sbin's, only /usr/bin and /bin. I've been fixing that
for several generations of debian installs. Probably shouldn't as there  
may be some good reason for it, but it is MY machine.

Cheers, Gene Heskett
--
"There are four boxes to be used in defense of liberty:
 soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author)
Genes Web page <http://geneslinuxbox.net:6309/gene>

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Reco
In reply to this post by andy smith-10
        Hi.

On Thu, May 30, 2019 at 02:44:58AM +0000, Andy Smith wrote:
> So my question is, are installs done by debootstrap somehow losing
> the file capabilities? I ask because in this thread, one of the
> other people reporting a /bin/ping without the correct capabilities
> did their install through debootstrap.

Easy. You run debootstrap, set some --include options (which pull
libcap2-bin by dependency), and then you tar the whole resulting
filesystem.
tar never understood file capabilities, so they are lost in the process.


> If you've just done a debootstrap, what does getcap return for the
> /bin/ping that got installed?

I'm not Cindy (obviously), but I'm not lazy, so I just run debootstrap a
couple of times.

debootstrap --variant=minbase does not install iputils-ping at all.

debootstrap (no --variant) does install iputils-ping, but does not
install libcap2-bin. Hence iputils-ping postinst script simply sets
suid bit on /bin/ping as postinst cannot locate setcap.

Reco

Reply | Threaded
Open this post in threaded view
|

Re: Ping as normal user (Was: Why /usr/sbin is not in my root $PATH ?)

Curt
In reply to this post by andy smith-10
On 2019-05-29, Andy Smith <[hidden email]> wrote:
>
> How did you install this system? Because /bin/ping is supposed to
> come with file capabilities such that the user can allow it to do
> what it needs to do (this is part of what 'dpkg-reconfigure
> iputils-ping' restores). So it would be interesting to know how the
> system was installed in case there is a general theme for those who
> never got those capabilities.

There is a bug related to this imbroglio:

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=780721
(libcap2-bin is recommended but is not a dependancy of iputils-ping,
because "iputils-ping, as priority 'important', cannot declare a
dependency on libcap2-bin, which is priority 'optional'").

> One other person in this thread said they used (a script which
> ultimately uses) debootstrap.
>
> Cheers,
> Andy
>
>


--
“Decisions are never really made – at best they manage to emerge, from a chaos
of peeves, whims, hallucinations and all around assholery.” – Thomas Pynchon

1234