tech-userlevel: Re: su -d ?

Subject: Re: su -d ?
To: Greywolf <greywolf@starwolf.com>
From: Greg A. Woods <woods@weird.com>
List: tech-userlevel
Date: 04/28/2003 03:00:27
[ On Sunday, April 27, 2003 at 21:22:27 (-0700), Greywolf wrote: ]
> Subject: Re: su -d ?
>
>  But our 'su' is one that does things
> right:  It will set $HOME properly so that you get the .cshrc of the
> person you are becoming, instead of using the $HOME of the person you
> are su-ing _from_.  This is crucial!

Yes, I agree, this part it does do right.

(Though I suppose I should admit that I use the fact that $ENV isn't
cleared by a plain "su root" so that I can get my personal aliases
without having to source them manually every time -- I really don't want
root's $ENV, if there even is one.  Note my systems don't have csh or
even any remnant of its uglyness.)

But that's only a tiny part of being safe by default.  The default
really should be to clear the rest of the environment, and maybe even
that should be forced all the time -- i.e. no option to keep any of the
environment that's not sanitized by 'su', at least for anyone who's not
already the superuser.

The only tricky part is that too many people would want too many
exceptions.  It probably would start with $TERM, then someone would
whine about $TERMCAP (and/or $TERMINFO), and soon you'd have some
mis-informed person asking to keep $PATH intact, or worse.

I was going to suggest that 'su' always chdir() to the new user's $HOME
but that $OLDPWD be set to the starting directory so that "cd -" would
take you back to where you started, but then I realized the fallacy of
my idea.  :-)

Yes, strictly speaking (i.e. to always be as safe as possible) 'su'
should always completely cleanse the environment for everyone but the
superuser.  The only difference for '-l' should be that it does
chdir($HOME) first and prepends a '-' to the argv[0] for the shell so
that the shell thinks it's a login shell.  If this were true then, and
only then, could I conceive of any valid reason for an option which
still does the '-' prefix for argv[0] as '-l' does, but which does not
do the chdir($HOME).  I'd call such an option '-L' or similar though,
not '-d'.

Actually I think I'm going to modify my version of 'su' to work this
way.  I'd rather be safe (and have to type an extra command every time I
'su' in order to get my aliases) than be sorry....

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>