[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: As seen above: use of su vs sudo

On 2018-08-07, Michael Stone <mstone@debian.org> wrote:
> On Tue, Aug 07, 2018 at 11:14:26AM -0500, David Wright wrote:
>>On Tue 07 Aug 2018 at 15:31:43 (+0200), Nicolas George wrote:
>>> The Wanderer (2018-08-07):
>>> > > Anyone who learns the user's password can obtain the second password
>>> > > pretty easily.
>>> > How so?
>>> Just insert a fake su in their path. There are more subtle ways.
>>This does make me wonder why nobody here seems to have pointed out
>>that su should be spelled "/bin/su -". My fingers have been wired
>>that way for 20 years.
> Because it's unnecessary extra typing?

I thought his point might be that in typing the full path at least you
know you're getting '/bin/su' and not some other 'su' that a malevolent
individual might have created in your home directory after prepending HOME
to your path, for example (in that malevolent person's effort to elevate
himself to superuser status). 

Maybe he didn't mean that, though, and I've got things all wrong (famous
last words).

Some years ago, when the images which this world affords first opened upon me,
when I felt the cheering warmth of summer and heard the rustling of the leaves
and the warbling of the birds, and these were all to me, I should have wept to
die; now it is my only consolation. --Mary Shelley, Frankenstein; or, The Modern Prometheus

Reply to: