Theodore Y. Ts'o - 05.08.18, 17:05: > On Sun, Aug 05, 2018 at 10:35:34AM +0200, Martin Steigerwald wrote: > > Now people say, including Debian maintainer of util-linux, in above > > NEWS file entry: Using "su" without initializing new environment is > > a bad idea and should never be done. For many reasons. However, > > nowhere I saw these reasons actually mentioned. That is not enough > > for an informed decision about it. I already opened a bug report > > for util-linux package about no concrete reasons provided: > > > > util-linux: su from util-linux: no reason why su without setting new > > environment is bad idea > > https://bugs.debian.org/905478 > > The reason why preserving the environment across a su or a sudo can be > dangerous is that environments that are meant for use by an > unprivileged process might not be appropriate at all when running as > root. There are lots of potential reasons why. Here are some: > > * The PATH might include the current directory, and so a script […] > So for that reason, it makes sense that a "sudo" or "su" command > should default to something safe. Thank you, Ted. This is the best explanation I saw so far. I accept it for default. In my specific case I still do not see any big issue with that cause the backup script runs on my laptop, the user I "su" from and "root" are both users only I have access to. So the risk in my case may mostly be that the script would pick an an inappropriate command. Due to me installing it. Someone who would get access to an regular user account could set up a bogus path as the user and install a malicious command there in order to gain "root" access or so. In my understanding of security it would be already too late if someone gained access to an user account on my laptop without my permission. However I just tested on Debian by logging in as "root" on "tty1" and it still gives me "~/bin" and the "local" binary directories. Its "~/bin" which would be "/root/bin", not writable to by a regular user. Interestingly enough it also prints the following error after entering the user name: "configuration error – unknown item 'ALWAYS_SET_PATH' (notify administrator)" The "login" command which is in the "login" package in Debian, which is part of the "shadow" source package, does not understand the option. It appears to me that sharing a configuration file like this is not such a good idea. However, it continues and I can still login. > > And then: How to implement a backup script that needs root access > > for > > most operations, but also requires access to SSH agent from a user > > setup? Dig out the environment variables of the SSH agent myself? > > Let > > the script run as a user and use "setprivs" that is mentioned as > > recommend in the "su" manpage, yet is in a different package > > altogether and not part of "util-linux". > > You might want to look at the man page for sudo, and its configuration > files, especially sudoers. It has a *huge* amount of fine-grained > controls over which environment variables should be reset, and which > ones which should be preserved, and whether or not a particular user > should be trusted to override environment variable processing on the > command line. I knew it has a *huge* amount of fine-grained controls, but I did not know off hand whether I can also specify what environment variables to take over, thank you for telling me. I think I will go that route. I intend to make sudo -i / sudo -s just always give SSH agent environment variables to the "root" shell on my laptop. However I likely do that when I feel like it. Its holiday time for me currently. And I do feel comfortable enough with using the "ALWAYS_SET_PATH" option on my laptop for now. Thanks, -- Martin -- To unsubscribe from this list: send the line "unsubscribe util-linux" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
