On 2018-08-07, Michael Stone <mst...@debian.org> wrote: > On Tue, Aug 07, 2018 at 11:14:26AM -0500, David Wright wrote: >>On Tue 07 Aug 2018 at 15:31:43 (+0200), Nicolas George wrote: >>> The Wanderer (2018-08-07): >> >>> > > Anyone who learns the user's password can obtain the second password >>> > > pretty easily. >>> > How so? >>> >>> Just insert a fake su in their path. There are more subtle ways. >> >>This does make me wonder why nobody here seems to have pointed out >>that su should be spelled "/bin/su -". My fingers have been wired >>that way for 20 years. > > Because it's unnecessary extra typing? >
I thought his point might be that in typing the full path at least you know you're getting '/bin/su' and not some other 'su' that a malevolent individual might have created in your home directory after prepending HOME to your path, for example (in that malevolent person's effort to elevate himself to superuser status). Maybe he didn't mean that, though, and I've got things all wrong (famous last words). -- Some years ago, when the images which this world affords first opened upon me, when I felt the cheering warmth of summer and heard the rustling of the leaves and the warbling of the birds, and these were all to me, I should have wept to die; now it is my only consolation. --Mary Shelley, Frankenstein; or, The Modern Prometheus
