Re: "su -" and "su" - what is the real difference?
"Michael Marsh" <michael.a.marsh@gmail.com> wrote:
> What this means is that if you just run "su", you'll be left with the
> environment of the user from whose account you entered root's. In
> particular, $PATH, $LD_PRELOAD, and $LD_LIBRARY_PATH won't be unset.
> If the user is malicious, he can get you to run different programs
> than you thought you were running. That includes dynamically linking
> in (for example) a trojaned version of libc. It's precisely because
> your euid becomes 0 that this is a problem, since the malicious user
> can set up a root-privileged back door.
I'm wondering whether using "su -" is really safer.
We are considering the case where the user account used to run the
command is compromised (or the user owning this account is malicious,
which is more or less the same). He can easily trick you into believing
you're running /bin/su, whereas you're running some program of his
(using a shell function, or for more robustness exec()ing a modified
shell upon login where /bin/su actually calls a malicious program from
the user account). But this trick is really successful only if the fake
"su" program can eventually call the real one to get you root access
(otherwise, you'll quickly notice there is something wrong).
Is it possible for a malicious su wrapper to:
1. record root's password (of course, yes);
2. *and then* feed this password to the real "su".
I suspect the real "su" empties the stdin buffer (or something like
that) to avoid such attacks, but would be glad to hear a confirmation
from people who know better.
Thanks.
--
Florent
Reply to: