Mailing Lists: Apple Mailing Lists
Image of Mac OS face in stamp
 
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Problems 'su'ing into the root user

On Aug 22, 2006, at 12:13 AM, Ansgar -59cobalt- Wiechers wrote:

JC listed them quite neatly for me.  While they both give UID 0 the
differences in the logging, in what happens if you accidentally type
the wrong thing, in enabling the root account, and in paying
attention to 'sudoers' make me prefer never to use 'su'.

The only difference in logging that I can see is the command executed by
sudo: /bin/bash in one case, /usr/bin/su in the other. The root account
does NOT need to be enabled for "sudo su" to work, and I entirely fail
to see how "sudo su" would not pay attention to 'sudoers'. I also fail
to see how there's a difference between "accidentally typing the wrong
thing in a root shell" and "accidentally typing the wrong thing in a
root shell".

Could you please actually *READ* a mail before replying to it? Thank
you.

the exact difference between how sudo and su work is denoted in 'man sudo' under 'Security Notes.' The authors did not directly contrast with 'su' in their prose, but that is the gist of it.

Basically, 'sudo' prevents possibly-malicious environment variables (including PATH) from being inherited by the command being run as root. If you use '-s', 'sudo' is able to ensure that this remains consistent.

Having one setuid application invoke another is generally considered a bad idea (in this case, having sudo invoke su), as the second can possibly undo any checks that the first does.

1. Invoke sudo. environment screened.
2. sudo invokes su. su is setuid root and can do whatever it wants, without any further checking by sudo (which is far more discriminate than su is), before it dumps you to a shell.

or...

1. Invoke sudo. sudo maintains all of its security throughout the process of generating a shell.

Which sounds better?
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden

This email sent to email@hidden
References: 
 >Problems 'su'ing into the root user (From: Nate Rudd <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: Simon Slavin <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: Ansgar -59cobalt- Wiechers <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: JC Derr <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: Ansgar -59cobalt- Wiechers <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: Simon Slavin <email@hidden>)
 >Re: Problems 'su'ing into the root user (From: Ansgar -59cobalt- Wiechers <email@hidden>)



Visit the Apple Store online or at retail locations.
1-800-MY-APPLE

Contact Apple | Terms of Use | Privacy Policy

Copyright © 2007 Apple Inc. All rights reserved.