A Linux su surprise

May 25, 2006

I found out about Linux su's '-p' option from comments on a a previous entry. The option is also known as -m and --preserve-environment; the manpage describes it tersely as 'do not reset environment variables', but the info document tells the full story:

Do not change the environment variables `HOME', `USER', `LOGNAME', or `SHELL'. Run the shell given in the environment variable `SHELL' instead of the shell from USER's passwd entry, unless the user running `su' is not the superuser and USER's shell is restricted. A "restricted shell" is one that is not listed in the file `/etc/shells', or in a compiled-in list if that file does not exist. Parts of what this option does can be overridden by `--login' and `--shell'.

I'm used to old-fashioned su's that always run the target user's login shell, no matter what. Being able to override the login shell is a bit alarming; although there are safeguards, it does make what you put in /etc/shells somewhat more dangerous. (Clearly you never want to put /bin/false or the like in there, in order to get something else to work right.)

At the same time, being able to run alternate shells for 'restricted' accounts as root is a useful trick (whether done through -p or directly through --shell). I'll have to remember it for the next time I want to fiddle with an environment owned by such an account; it certainly beats trying to do it as root and then chown'ing the setup all over.

Written on 25 May 2006.
« SCGI is a form of caching
Link: Classic Mistakes Enumerated »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Thu May 25 16:01:26 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.