Subject: Re: CVS commit: basesrc/bin/ksh
To: Lucio De Re <firstname.lastname@example.org>
From: Bill Studenmund <email@example.com>
Date: 09/26/2002 12:01:39
On Thu, 26 Sep 2002, Lucio De Re wrote:
> On Thu, Sep 26, 2002 at 02:50:35PM +0200, Lubomir Sedlacik wrote:
> > there already is user with uid=0 and /bin/sh as a login shell.
> That's a security hole and a proverbial PITA. I thought it had been
> deprecated out of existence. It's not what "su" defaults to, either.
toor has a, "don't use me," password. So how is a security *hole*. To give
it a password, you have to root, no? So the threshold at which toor can be
given a password is the same threshold at which a lot of other intrusions
can happen. How is this such a problem?
As for su, "su -m" (which is what I almost always use).