[Pkg-shadow-devel] Bug#611584: /bin/su: not quite aggressive

velotiger at web.de velotiger at web.de
Sun Feb 13 01:06:47 UTC 2011

Hi, like Zack I dislike the new (Squeeze compared to Lenny) behaviour of "su -". Reasons:
1. For an unprivileged target user, it's useless to copy XAUTHORITY because he cannot read the invoking user's xauth file (if he could, it would be a security issue).
2. Root can easily extract an X11 cookie from any local file and merge it in his own xauth file (for root on NFS clients, see 1).
3. If you want automatic transfer of X11 cookies, there's a solution: pam_xauth. This also works for (1).
4. If you su to root and use the command xauth as root afterwards, you work on the invoking user's file, rendering it unusable for the user (xauth takes possesion when writing the file: 0600 root:root).
5. I've been using (2) for years without any problem and stumbled upon (4) now :-(
Maybe I try revert su to its old behaviour by means of pam_env. Afterwards su's manpage will disagree with reality on the systems I maintain, but I can live with that.

Empfehlen Sie WEB.DE DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.web.de

More information about the Pkg-shadow-devel mailing list