[stunnel-users] SU in exec argument

Peter Pentchev roam at ringlet.net
Thu Nov 7 10:29:31 CET 2013

On Thu, Nov 07, 2013 at 09:58:25AM +0100, Florian Götz wrote:
> Hi stunnel users,
> I´m using SLES with stunnel 4.54-0.9.24, which is stored in /usr/sbin in
> this distribution.
> Stunnel is used with xinetd in non-daemon mode.
> With stunnel in /usr/sbin, I can use stunnel only with root (I know I
> can do a sudoers entry for stunnel....but let´s try it the way it was
> meant by the distribution).
> I wanted so use a stunnel.conf like this:
> exec = /bin/su
> execargs = su -l -c "/home/abc/bin/binary" abc


It's interesting that first you talk of sudoers, then you try to use
su(8).  On many systems, including Linux, the su(8) utility was
initially developed for interactive use and only later (ok, many, many
years ago, but still only later) was it extended to be, well, more
convenient for non-interactive use by other programs.  On the other
hand, sudo has always been developed with both these goals in mind, it
is much, much easier to use and it has much fewer pitfalls.

So... my advice to you would be to really use sudo and not su.  There
are a lot of factors influencing a su execution, and there are a lot of
problems that you may run into while trying to pass a program with
properly-quoted arguments to it.

That said, the difference between a root login shell and a
non-interactive execution by xinetd is most probably twofold:

- a login shell, by definition, loads a different set of shell startup
  scripts; and yes, even when you run su with -c, it still executes a
  (non-login, non-interactive) shell to run your command after setting a
  proper value for PATH and some other variables.  And yes, I see that
  you are running su with the -l option; still, I'm not completely sure
  that it will be able to properly run a login shell.  This is a point
  where using sudo might make things a bit easier, since it will be,
  well, a bit more predictable, being designed for that kind of use.

- an interactive shell (attached to a terminal) also sets the
  environment up in a way different from a non-interactive one; if there
  are any differences in the output of the 'printenv' command from a
  root login shell and from an xinetd invocation, some of them might be
  related to that.  This is where sudo would not really help, you have
  to figure out how to deal with the differences by yourself :)

I understand where you're coming from with using just the facilities
provided by the OS base system, but, well, IMHO sudo is already a pretty
well-established sysadmin tool and there's no need to exclude it from
the set of the minimal reasonable extensions to the base OS (which, for
me, besides sudo, usually include zsh, screen or tmux, rsync and a
non-minimal version of vim).


Peter Pentchev	roam at ringlet.net roam at FreeBSD.org p.penchev at storpool.com
PGP key:	http://people.FreeBSD.org/~roam/roam.key.asc
Key fingerprint 2EE7 A7A5 17FC 124C F115  C354 651E EFB0 2527 DF13
I am the thought you are now thinking.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://www.stunnel.org/pipermail/stunnel-users/attachments/20131107/39f4be10/attachment.sig>

More information about the stunnel-users mailing list