[CS-FSLUG] How to resolve anapparent Linux crash

Sat Aug 28 10:59:15 CDT 2004

I did a quick check and some of the security issues are no longer as predominant.  It used
to be that su without the dash would take a lot of variables from the "current shell" and
use them as variables for root.  Some of these (namely the aliases) no longer are
pertinent.

For example.  A student can set up an alias that is something like:
alias ls="echo 'fred:xfdettysds:0:0::/:/bin/bash' >> /etc/passwd 2>/dev/null; /bin/ls"

Then call in the system administrator and ask for help.  If the admin did a su without the
-, the aliases from the student's login get passed into root's environment, and there is a
great chance to be hacked.  Luckily, the aliases are no longer being passed.  Oh well. 
Part of my knowledge is no longer useful.

But this one works.
Another security issue is that the PATH variable is still passed, as is, to the next login
if you su without the -.  Root has a path without the . in it.  So if you want to execute
a command that exists in the same directory but is not in the path, you need to run
./[command].  The reason for this is because...

A student can create a script named "ls" in their personal directory that does:
  #!/bin/bash
  echo 'fred:xfdettysds:0:0::/:/bin/bash' >> /etc/passwd 2>/dev/null
  rm /home/fred/ls
  /bin/ls

If root does an su without the -, then their path could still look like:
/home/fred:/bin:/usr/bin  When root does an "ls", the first one the computer finds in the
path of root is the one in fred's directory.  It creates a root user, removes the traces
of itself, and then does an ls like root expects it to...

The paths that you get with su (without the dash) are the paths that come from the
previous login.  This means that you do not have any of the special root-only paths.  So
the commands that root can do, which users do not have permission to run, usually never
show up unless you type in the full path to the command.  This gets very annoying.

I use the su - and su (without the minus) fairly regularly.  Many places have custom
scripts at login that do a lot of stuff.  When someone's login script is faulty and kicks
them back out, you su to them with the - to see what the problem is, then su as them
without it to fix the problem.  (Some student system admins once pranked another system
admin so that every time she logged in a bizarre error was reported on her screen and she
was logged immediately out.  Using su - allowed me to see them, su without the dash
allowed me to go in and remove the problem.

	- Tim

linux at rmf.mailshell.com wrote:
> 
> >(snip)
> Thanks, David,
> I did learn about su from the Linmodem fellow, but not this -. What does
> that do?