Re: "su -" and "su" - what is the real difference?
2006. July 28. 16:04, Michael Marsh:
> On 7/28/06, LeVA <leva@az.isten.hu> wrote:
> > Here comes a lame question yes I know, but I need to hear the
> > experiences and opinions about this.
> > I've read thru a number of documents which described the
> > differences between the real and effective user ids and I am now
> > just wondering about this:
> >
> > What is the difference (I mean in the "real world") between running
> > `su` (getting a non-login shell) and `su -` (getting a login
> > shell). Is there a security related problem with any of the
> > invokings above? AFAIK the real and effective uids are always set
> > to 0 after both commands.
[snip]
> What this means is that if you just run "su", you'll be left with the
> environment of the user from whose account you entered root's. In
> particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset.
> If the user is malicious, he can get you to run different programs
> than you thought you were running. That includes dynamically linking
> in (for example) a trojaned version of libc. It's precisely because
> your euid becomes 0 that this is a problem, since the malicious user
> can set up a root-privileged back door.
And can you tell me why the $USER and the $LOGNAME variables gets
resetted by su, no matter if I've invoked it with or without the '-'
option?
Under OpenBSD (yes, yes I know this is not a obsd list :) if the target
uid is 0, then su (without the '-') doesn't change the USER nor the
LOGNAME variables.
Is this a minor thing and I'm just facing two coders who were not
thinking the same when creating two different type of su programs; or
those are the same su programs and there is some deeper evil lying
behind those variables?
Daniel
--
LeVA
Reply to: