[Pkg-shadow-devel] Bug#611584: Bug#611584: /bin/su: not quite aggressive enough about cleaning the environment

Mike Frysinger vapier at gentoo.org
Tue Feb 1 06:16:47 UTC 2011

On Sun, Jan 30, 2011 at 10:03 PM, Zack Weinberg wrote:
> On Sun, Jan 30, 2011 at 6:55 PM, Mike Frysinger wrote:
>> On Sun, Jan 30, 2011 at 5:52 PM, Zack Weinberg wrote:
>>> "su -" is supposed to produce the same set of environment variables that you'd
>>> get if the destination user had logged in directly, but it misses at least a
>>> few variables that should be unset:
>> not really.  the man page says:
>>       -, -l, --login
>>           Provide an environment similar to what the user would
>> expect had the user logged in directly.
>> it does not say "exactly"
> Those are weasel words intended to cope with the reality that su can't
> go through *exactly* the same code path as init -> getty -> login and
> therefore may not always get it spot on.
> Specific instances of not getting it spot on remain bugs, especially
> when they are security issues (DISPLAY and XAUTHORITY certainly are; I
> don't know about XDG_SESSION_COOKIE).

suing to root and claiming security issues makes no sense.  think
about it for all of three seconds.

as for the env vars you quoted, try reading the man page yet again:
    If --login is used, the $TERM, $COLORTERM, $DISPLAY, and
$XAUTHORITY environment variables are copied if they were set.

More information about the Pkg-shadow-devel mailing list