pk wrote: > ubiquitous1980 wrote: > > >>> http://lists.debian.org/debian-security/2006/07/msg00059.html >>> > > >> With "sudo su - " the man pages do not have ESC throughout. I have >> learned sudo su from my ubuntu days and I am only guessing that this is >> bad practice and that the correct command is $ sudo su - >> > > No need to guess. Messing with superuser privileges without a proper > superuser environment (paths etc.) is considered bad from a security > point of view; for instance, an malicious application could be installed > in your user home dir, prepend the path to this to your local user $PATH > and whenever you do "su" (without -) you could invoke this app with > superuser privileges... > So to summarize: The link above (debian.org) explains it quite well and > yes, I would say it's a bad habit to omit -. :-) > > Best regards > > Peter K > > Investigated this further...
With su, PATH=/sbin:/bin:/usr/sbin:/usr/bin With sudo su, PATH=/sbin:/bin:/usr/sbin:/usr/bin With sudo su -, PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.4:/usr/lib64/subversion/bin This final PATH is the same as my user's account. I thought that this would be the other way around, and that with $ sudo su - I would expect the normal root path as to prevent a malicious program settinga path and allowing execution without identifying its specific location at the CLI. Perhaps I am confused. Thanks Damien
