Re: two questions about su(1)

Reply: Paul Vixie : "Re: two questions about su(1)"
Reply: Dewayne Geraghty : "Re: two questions about su(1)"
In reply to: Paul Vixie : "two questions about su(1)"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <list_freebsd_at_bluerosetech.com>
Date: Thu, 26 Jun 2025 02:27:35 UTC

On 2025-06-25 13:26, Paul Vixie wrote:
> first, why is the -c check not applied until after a password is collected?
> 
>> ➜  ~ su -c zsh
>> Password:
>> su: only root may use -c
> 
> second, what exactly do we think this -c restriction is buying us?

It restricts class-hopping to those who can already gain unrestricted 
access to the system.  Without that, a user could use su to get around 
limits set in /etc/login.conf.

>> ➜  ~ su
>> Password:
>> root@util:/home/vixie # exec zsh
>> util#
> 

Try:
# su root -c zsh

su uses the login username to separate args to su from args to be passed 
to the shell it will exec