[Pkg-shadow-devel] Bug#628843: login: tty hijacking possible in "su" via TIOCSTI ioctl
Simon Ruderich
simon at ruderich.org
Mon Oct 3 20:22:55 UTC 2016
On Mon, Oct 03, 2016 at 09:58:23PM +0200, up201407890 at alunos.dcc.fc.up.pt wrote:
> Anyways, it is bad admin practice and/or an invasion of privacy to su to an
> unprivileged user.
Please explain to me why this is bad admin practice.
Lets assume I have an unprivileged user which is used to execute
a script in an isolated context. Now that script breaks and I
have to debug it. The user has no shell nor password. How do I
run a command as that user? What I did in the past was to run su
-s /bin/sh user and then debug and fix the problem. What is wrong
with that setup?
> This has been talked alot in the past, in most of the times even closed as
> "WONTFIX".
In that case su should prevent a user from doing it, not causing
a security hole and not documenting that fact.
> What I'm saying is, it's OK if you can't come up with something. Better use
> 'su -c' in any case.
Often a terminal with a shell makes debugging much less painful.
su -c doesn't help there.
Regards
Simon
--
+ privacy is necessary
+ using gnupg http://gnupg.org
+ public key id: 0x92FEFDB7E44C32F9
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-shadow-devel/attachments/20161003/4378ebfe/attachment.sig>
More information about the Pkg-shadow-devel
mailing list