On Sun, Feb 28, 2010 at 03:56:13PM -0500, stosss wrote: > On Sun, Feb 28, 2010 at 7:28 AM, pk <pete...@coolmail.se> wrote: > > ubiquitous1980 wrote: > > > >>> http://lists.debian.org/debian-security/2006/07/msg00059.html > > > >> With "sudo su - " the man pages do not have ESC throughout. ?I have > >> learned sudo su from my ubuntu days and I am only guessing that this is > >> bad practice and that the correct command is $ sudo su - > > > > No need to guess. Messing with superuser privileges without a proper > > superuser environment (paths etc.) is considered bad from a security > > point of view; for instance, an malicious application could be installed > > in your user home dir, prepend the path to this to your local user $PATH > > and whenever you do "su" (without -) you could invoke this app with > > superuser privileges... > > So to summarize: The link above (debian.org) explains it quite well and > > yes, I would say it's a bad habit to omit -. :-) > > 7 years ago a veteran Linux user taught me to always use su - for the > very reason you stated. Actually, you are safe with either "su -" (without sudo) or "sudo -i". "sudo su -" is chaining "su -" on top of sudo, and is redundant because "sudo -i" and "su -" do the same thing afaik.
William
pgpS4XXUTGw4P.pgp
Description: PGP signature
