[Pkg-shadow-devel] Bug#611584: Bug#611584: /bin/su: not quite aggressive enough about cleaning the environment
Zack Weinberg
zackw at panix.com
Tue Feb 1 18:16:22 UTC 2011
On Mon, Jan 31, 2011 at 10:16 PM, Mike Frysinger <vapier at gentoo.org> wrote:
> suing to root and claiming security issues makes no sense. think
> about it for all of three seconds.
I have. If you do "su -" instead of "su" you expect that to isolate
you from (for instance) hostile clients on the same X session. I
realize there are ways a determined attacker can get past anything su
can do (by attacking the unprivileged terminal you're typing at, for
instance), but that's not an excuse for su not even *trying*.
> as for the env vars you quoted, try reading the man page yet again:
> If --login is used, the $TERM, $COLORTERM, $DISPLAY, and
> $XAUTHORITY environment variables are copied if they were set.
That it is documented does not make it not a bug.
zw
More information about the Pkg-shadow-devel
mailing list