On Thursday 16 February 2006 01:44, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > issues. su has its own issues irrespective of SELinux; never su to an > untrusted account. It should be safe if you login at the console and run "exec su - hostile", that way the shell from your account has already terminated before the su program runs anything on behalf of the hostile user. The same goes for running "exec su" from an xterm. If you ssh as a non-root user and have to su to root then you would do "exec su - root" followed by "exec su - hostile" Also it should be safe to do "su hostile -c command" as there is special-case code in recent versions of the su program in Fedora to drop the controlling tty when the -c option is used. But apart from these cases, don't su to a hostile account. -- http://www.coker.com.au/selinux/ My NSA Security Enhanced Linux packages http://www.coker.com.au/bonnie++/ Bonnie++ hard drive benchmark http://www.coker.com.au/postal/ Postal SMTP/POP benchmark http://www.coker.com.au/~russell/ My home page -- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
