[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: "su -" and "su" - what is the real difference?

Goswin von Brederlow <brederlo@informatik.uni-tuebingen.de> wrote:

>>     if (isatty (0) && (cp = ttyname (0))) {
> For this to succeed the stdin must be a terminal. But nothing stops
> you from using a pseudo terminal (pty).

You're right, that works. Thanks.

My conclusion is that whether using "su" or "su -" from a non-privileged
user account doesn't really matter from a security POV, because you're
stuffed as soon as an attacker having access to this account makes you
run his own su wrapper (which is quite doable) to record the root


Reply to: