On Thu, Nov 07, 2013 at 09:58:25AM +0100, Florian Götz wrote:
Hi stunnel users,
I´m using SLES with stunnel 4.54-0.9.24, which is stored in /usr/sbin in this distribution. Stunnel is used with xinetd in non-daemon mode. With stunnel in /usr/sbin, I can use stunnel only with root (I know I can do a sudoers entry for stunnel....but let´s try it the way it was meant by the distribution).
I wanted so use a stunnel.conf like this:
exec = /bin/su execargs = su -l -c "/home/abc/bin/binary" abc
Hi,
It's interesting that first you talk of sudoers, then you try to use su(8). On many systems, including Linux, the su(8) utility was initially developed for interactive use and only later (ok, many, many years ago, but still only later) was it extended to be, well, more convenient for non-interactive use by other programs. On the other hand, sudo has always been developed with both these goals in mind, it is much, much easier to use and it has much fewer pitfalls.
So... my advice to you would be to really use sudo and not su. There are a lot of factors influencing a su execution, and there are a lot of problems that you may run into while trying to pass a program with properly-quoted arguments to it.
That said, the difference between a root login shell and a non-interactive execution by xinetd is most probably twofold:
- a login shell, by definition, loads a different set of shell startup scripts; and yes, even when you run su with -c, it still executes a (non-login, non-interactive) shell to run your command after setting a proper value for PATH and some other variables. And yes, I see that you are running su with the -l option; still, I'm not completely sure that it will be able to properly run a login shell. This is a point where using sudo might make things a bit easier, since it will be, well, a bit more predictable, being designed for that kind of use.
- an interactive shell (attached to a terminal) also sets the environment up in a way different from a non-interactive one; if there are any differences in the output of the 'printenv' command from a root login shell and from an xinetd invocation, some of them might be related to that. This is where sudo would not really help, you have to figure out how to deal with the differences by yourself :)
I understand where you're coming from with using just the facilities provided by the OS base system, but, well, IMHO sudo is already a pretty well-established sysadmin tool and there's no need to exclude it from the set of the minimal reasonable extensions to the base OS (which, for me, besides sudo, usually include zsh, screen or tmux, rsync and a non-minimal version of vim).
G'luck, Peter