On Tue, Aug 07, 2018 at 06:01:27PM +0000, Curt wrote:
I thought his point might be that in typing the full path at least you know you're getting '/bin/su' and not some other 'su' that a malevolent individual might have created in your home directory after prepending HOME to your path, for example (in that malevolent person's effort to elevate himself to superuser status).
Yes, it's just a completely useless thing to do for most plausible attack scenarios. Typing unnecessary characters to possibly protect yourself from one extremely specific (and frankly unlikely) attack seems more superstition than science; in a couple of decades of looking at compromised computers, I can't recall ever running across an attack in the wild that depended on someone typing "su" and not "/bin/su".
Mike Stone