Re: two questions about su(1)

On Wed, 25 Jun 2025 20:26:04 +0000, Paul Vixie wrote:
> first, why is the -c check not applied until after a password is collected?
> 
> > ➜  ~ su -c zsh
> > Password:
> > su: only root may use -c

The reason probably lies within the "business logic" of su:

	1. check if user can su at all

	2. if yes: request password

	3. apply any further options when invoking session
	   and check their respective restrictions

	4. start shell

That part, invoking the new session (shell), can include
things like requesting a different *login class*.

See "man su" for details, EXAMPLES section.

Also see "man 5 login.conf" regarding login classes.



> second, what exactly do we think this -c restriction is buying us?

A change of the login class _might_ include changes to
environmental variables (and that, in turn, can have
effect on many things, from $PAGER to $EDITOR or any
maliciously crafted $LD_PRELOADs, coming from a user-side
"infected" ~/.login_conf), and maybe that is not actually
desired for a non-root user, because... well, when you
"su root", your're _totally_ expected to know what you're
doing: you're abandoning all restrictions and safeguards,
because with absolute power comes the ability to do something
stupid and shoot your foot, if you really want that. ;-)



-- 
Polytropon
Magdeburg, Germany
Happy FreeBSD user since 4.0
Andra moi ennepe, Mousa, ...