[Pkg-shadow-devel] Why is su preserving the environment?

Josselin Mouette joss at debian.org
Sat Jan 24 09:07:38 UTC 2009

Le samedi 24 janvier 2009 à 09:04 +0100, Reinhard Tartler a écrit :
> the latter command indeed prunes the environment, and calling
>  su -c gnome-terminal -
> sucessfully fails (heh) with failing to open a display. whats the
> problem here?

"su -" is actually pruning the environment as it starts a login shell.
This should be slightly orthogonal to preserving the environment.
Actually, "su -p -" *does* preserve it. When not starting a login shell,
the -p option does actually nothing (and the documentation doesn’t
mention this).

I think Steve has a point, and as he explains, this is not a big
security issue; however it is breaking the expectations you have when
logging as another user. For example, it is not expected that starting
an application as the other user will re-use the running one, and it is
not expected that accessing the GNOME keyring will show the passwords of
the original user.

: :' :      We are debian.org. Lower your prices, surrender your code.
`. `'       We will add your hardware and software distinctiveness to
  `-        our own. Resistance is futile.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Ceci est une partie de message
	=?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?=
Url : http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20090124/c34e60a4/attachment.pgp 

More information about the Pkg-shadow-devel mailing list