From nobody Thu Jun 26 16:21:07 2025
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4bSkT45DQmz60kMC
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Thu, 26 Jun 2025 16:21:12 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4bSkT204f0z3kJJ;
	Thu, 26 Jun 2025 16:21:10 +0000 (UTC)
	(envelope-from des@freebsd.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1750954870;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=FZni1UceH7rYEb040BsPtceMAIrtnA6zZRALU7Vw+U8=;
	b=hnY9gv1odaHnM/0fuW77gGHIikWvyeUighcI3z/wB7gUc254jkdCZ6Pf7S3SqxMdV5b4m0
	/7PFU1/xE7/VRjn+3f/zWYa4I7thwKFIY95udvh7uGYeYsAoSDBMcHRWHXaekMqHcvHfes
	IsptJF38OoS5PGBb/wxSfT19AKl+ZNx6jIZedW9IaqqVtn05NtxmkkaNPPulD4xIoXKvzj
	2ciDxMDeL01tQzFAcSIDgCHinT3iGlrlK2WPRhNBbw26CwpvvQmddRTSsvySLUTx4QuCXj
	R6a0UL9TImCHL4yj7hjnyYDriq0Bbo4npIsqkVSg4hoFRifo/MhNtvXi10lk4w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1750954870;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=FZni1UceH7rYEb040BsPtceMAIrtnA6zZRALU7Vw+U8=;
	b=HjGTS3A2HblMkjSj73N6rY6fRw03OH1jk63LnB1rFD5ZLUizC+kM/qA6jZavURukY3OQbC
	ypGW9EM6P5LCFE7Kw4ELQY3AINjRfwc4Yk0+ZnPOxJKIRColqnxonTut2URGuBNSEi7QoY
	0iI6RzbwuRukC7rxLYxVEe9N4wY0wsnjRVLZwuZK8Puh1rDt/h4WzIiYVvv/+Qt7FxbQnG
	j7XFyK3qEKESDKG2ZCRUIRrxORD/OST2pHSzftvil5hjU3BkWoytTKeDSr3tnYeji2q2rm
	CMiY6DQmrvwSuVNoX1QD3StwYB1a/LV7I4hElRUCCIT9xm95mUtf9lud+/yH3w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1750954870; a=rsa-sha256; cv=none;
	b=tAhmtfh2JANn2G+wx8oR54u9caiCeuQQxVj0JtLtvXguMgmO80uyXI9vV+kuyoRTJMOpUU
	fW+8Fq5ROiIiHC4wmmMwzZIZR24gDzEl5gmzfkY61tsZA4K4q+Z9rN9xDxu+LZ2qIAkkAN
	eY+Su6HwwAodAwlxHs3bYAQ+ZnzKaodnAWVhKvtcNnGgt84T3h75T2rDAWm9OZMgkPcWuv
	UTO6yzoPf50W0EmzrQXp3u+pCLbbNsNbJR3BUvZeJ+es0Adv/LuHTHsc4a0qaYBqrUa5ML
	qNBKFx56YpMYyQCwuo/+IwDzEOrLCfhoNJhvWZ3fBF0UmAyDwUzT4tynBhJF4g==
Received: from ltc.des.dev (88-177-82-251.subs.proxad.net [88.177.82.251])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	(Authenticated sender: des)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4bSkT13mLFzs1x;
	Thu, 26 Jun 2025 16:21:09 +0000 (UTC)
	(envelope-from des@freebsd.org)
Received: by ltc.des.dev (Postfix, from userid 1001)
	id 61F3A7078C; Thu, 26 Jun 2025 18:21:07 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@FreeBSD.org>
To: Paul Vixie <paul@redbarn.org>
Cc: FreeBSD Mailing List <freebsd-questions@freebsd.org>
Subject: Re: two questions about su(1)
In-Reply-To: <2810770.4sosBPzcNG@localhost> (Paul Vixie's message of "Wed, 25
	Jun 2025 20:26:04 +0000")
References: <2810770.4sosBPzcNG@localhost>
User-Agent: Gnus/5.13 (Gnus v5.13)
Date: Thu, 26 Jun 2025 18:21:07 +0200
Message-ID: <8634bmfp8s.fsf@ltc.des.dev>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable

Paul Vixie <paul@redbarn.org> writes:
> first, why is the -c check not applied until after a password is collecte=
d?

You don't know who the target user is until after you've completed the
PAM conversation, because PAM can translate user names.

>> =E2=9E=9C  ~ su -c zsh

This means =E2=80=9Cswitch credentials to the root user but with the login =
class
set to zsh instead of the root user's normal login class, then run the
root user's shell=E2=80=9D.  I suspect you actually meant =E2=80=9Cswitch c=
redentials to
the root user, then run zsh=E2=80=9D, which is written `su root -c zsh` (he=
re
the `-c zsh` part is not interpreted by su, but added to the shell's
command line).

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@FreeBSD.org