Date: Thu, 26 Jun 2025 00:53:47 +0200 From: Polytropon <freebsd@edvax.de> To: Paul Vixie <paul@redbarn.org> Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org> Subject: Re: two questions about su(1) Message-ID: <20250626005347.af00aaa0.freebsd@edvax.de> In-Reply-To: <2810770.4sosBPzcNG@localhost>
index | next in thread | previous in thread | raw e-mail
On Wed, 25 Jun 2025 20:26:04 +0000, Paul Vixie wrote: > first, why is the -c check not applied until after a password is collected? > > > ➜ ~ su -c zsh > > Password: > > su: only root may use -c The reason probably lies within the "business logic" of su: 1. check if user can su at all 2. if yes: request password 3. apply any further options when invoking session and check their respective restrictions 4. start shell That part, invoking the new session (shell), can include things like requesting a different *login class*. See "man su" for details, EXAMPLES section. Also see "man 5 login.conf" regarding login classes. > second, what exactly do we think this -c restriction is buying us? A change of the login class _might_ include changes to environmental variables (and that, in turn, can have effect on many things, from $PAGER to $EDITOR or any maliciously crafted $LD_PRELOADs, coming from a user-side "infected" ~/.login_conf), and maybe that is not actually desired for a non-root user, because... well, when you "su root", your're _totally_ expected to know what you're doing: you're abandoning all restrictions and safeguards, because with absolute power comes the ability to do something stupid and shoot your foot, if you really want that. ;-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ...help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250626005347.af00aaa0.freebsd>