It seems that an AIX open file descriptor is not preserved across /bin/su.

I have a program that opens a file, then passes that file's file
descriptor to an exec'ed program with a command line argument. The
exec'ed program reads directly from that fd. No problem here, as file
descriptors are kept open across exec() calls.

But when I put /bin/su in between the calling and called program,
the called program gets errno 9 (Bad file descriptor) when
attempting to read. I guess somebody along the way (either su or sh)
has closed the file. I thought that perhaps a range of low fd's are
being closed (stdout, stderr, ...) so I tried dup2()'ing the fd to a
higher value (16 instead of 6) and use that instead. Same problem.

This same setup works well on other OS'es, e.g. Solaris. As often, AIX
is the odd one out. Anyone knows what's up here ? Or how to avoid/solve
this ?

TIA
Chris

Chris Breemer <chris_breemer@nl.compuware.com> wrote:
CB> It seems that an AIX open file descriptor is not preserved across /bin/su.

CB> I have a program that opens a file, then passes that file's file
CB> descriptor to an exec'ed program with a command line argument. The
CB> exec'ed program reads directly from that fd. No problem here, as file
CB> descriptors are kept open across exec() calls.

CB> But when I put /bin/su in between the calling and called program,
CB> the called program gets errno 9 (Bad file descriptor) when
CB> attempting to read. I guess somebody along the way (either su or sh)
CB> has closed the file. I thought that perhaps a range of low fd's are
CB> being closed (stdout, stderr, ...) so I tried dup2()'ing the fd to a
CB> higher value (16 instead of 6) and use that instead. Same problem.

CB> This same setup works well on other OS'es, e.g. Solaris. As often, AIX
CB> is the odd one out. Anyone knows what's up here ? Or how to avoid/solve
CB> this ?

It sounds like AIX's su behaves just like sudo does.

http://www.sudo.ws/pipermail/sudo-us...ly/001673.html

There's a suggestion in that thread for how to get around the
problem, but it's not pretty.

Regards,

Nicholas

--
http://www.faqs.org/rfcs/rfc1855.html
3.1.1 General Guidelines for mailing lists and NetNews
3.1.3 NetNews Guidelines

Nicholas Dronen <ndronen@io.frii.com> wrote in message news:<4016bd4d$0$70307$75868355@news.frii.net>...
[snip]

> It sounds like AIX's su behaves just like sudo does.
>
> http://www.sudo.ws/pipermail/sudo-us...ly/001673.html
>
> There's a suggestion in that thread for how to get around the
> problem, but it's not pretty.
>
Yes it seems exactly the same problem. I do not see a solution
in that thread though, except for the suggestion of using
a named socket instead of a pipe. Which is not useful for
me. I used a pipe only in my testing, the actual life
situation is a listener program that must pass an open
socket to a worker program invoked over su.

Thanks for the reply !
Cheers
Chris

Chris Breemer <chris_breemer@nl.compuware.com> wrote:
CB> Nicholas Dronen <ndronen@io.frii.com> wrote in message news:<4016bd4d$0$70307$75868355@news.frii.net>...
CB> [snip]
CB>
>> It sounds like AIX's su behaves just like sudo does.
>>
>> http://www.sudo.ws/pipermail/sudo-us...ly/001673.html
>>
>> There's a suggestion in that thread for how to get around the
>> problem, but it's not pretty.
>>
CB> Yes it seems exactly the same problem. I do not see a solution
CB> in that thread though, except for the suggestion of using
CB> a named socket instead of a pipe. Which is not useful for
CB> me. I used a pipe only in my testing, the actual life
CB> situation is a listener program that must pass an open
CB> socket to a worker program invoked over su.

Can't you make the program suid [ whoever ]?

Regards,

Nicholas

--
http://www.faqs.org/rfcs/rfc1855.html
3.1.1 General Guidelines for mailing lists and NetNews
3.1.3 NetNews Guidelines

Hi Nicholas,

> Can't you make the program suid [ whoever ]?
>
Yes, we have the option not to use su. Then the
listener just does setuid() and setgid() before
fork/exec'ing the server. That works without problem.

The reason we want to use su is so that the target user's
full logon environment is available to the server. I guess
we could use a shell to execute the target user's .profile,
but that would become cumbersome and clumsy compared
to using su.

Thanks again,

Chris