You need to RTFM.....

'su - root' (and 'su -l root') are safe, it is 'su root' that
is dangerous.

	David

On Sun, Apr 27, 2003 at 04:14:51PM -0400, Greg A. Woods wrote:
> [ On Sunday, April 27, 2003 at 20:08:18 (+0100), David Laight wrote: ]
> > Subject: Re: su -d ?
> >
> > I was actually thinking of the case where you need to su to root,
> > but are deep within a directory hierachy and don't want to change
> > the current directory.
> 
> Then don't use '-l'
> 
> > Using 'su root' is dangerous because it keeps all the baggage of the
> > existing user - if ENV is set it will run that script as root (which
> > is almost certainly not what you had in mind, never mind problems with
> > some malicious user typing export ENV=xxx while you aren't looking).
> 
> Then use 'env -i su root'
> 
> (and don't _EVER_ allow anyone to type to your session if you are
> privileged enough to 'su root' whether you're looking or not -- "export
> ENV=xxx" is the very least of your worries!!!!)

-- 
David Laight: david@l8s.co.uk