From Mageia wiki
Jump to: navigation, search


Drakconf multiflag.png
Other languages
Deutsch ; English ; Français ; Nederlands ;
Synopsis:
If you use su without --login option (abbreviated su -) then some files in your user home may become owned by root, creating future problems.

Using the command su to obtain root privileges is extremely risky, and may cause problems later that are not easily debugged if you are not familiar with the dangers.

Instead, when root privileges are needed, use su --login, which may be abbreviated as su -l, or just su -.

An alternative to using su -, is to use sudo.

Cause

To understand the difference and the danger of using just su, without the hyphen, start with the man page for su. From that page, adding the --login option makes the su command different in that it:

 Start the shell as a login shell with an environment similar to a real login:
 - clears all the environment variables except TERM and variables specified by --whitelist-environment
 - initializes the environment variables HOME, SHELL, USER, LOGNAME, and PATH
 - changes to the target user's home directory
 - sets argv[0] of the shell to '-' in order to make the shell a login shell

Following code examples show how the environment variables are affected by using the --login option.

First login only with su:

$ su

Password: # env|grep tester|sort LOGNAME=tester MAIL=/var/spool/mail/tester PWD=/home/tester SCREENDIR=/home/tester/tmp USER=tester # exit exit $

Result: The environment variables still referring to the original login id (tester in this case), instead of the root user ...


Now login with su --login:

$ su -

Password: # env|grep tester|sort # # exit exit $

Result: The environment variables got cleared and don't refer anymore to the original id (tester in this case).

What makes using su without the --login option dangerous is that many programs use those environment variables to control where they store files they use. If a program is run that updates a file stored in ~/.config, then the configuration file for that program in the users .config directory will become owned by root.

Later, after exiting from the su root privilege, if the user tries to run that same program and does something that causes it try to update its .config file, it will fail since the regular user can not update files owned by root.

The root owned files in the user's home directory will cause problems that may be very difficult to debug.

Warning!
Always remember to use su -, never just su!

Recovering form the mistake

If the mistake has already been made, it can be fixed with:

$ su -

Password: # chown -Rc tester:tester /home/tester # exit exit $

The option "c" for chown causes the command to show the changes it has made and option "R" stands for recursively. You need to exchange "tester" with your actual user name.


If IMAP is used for mail, the mail directory will need to have it's group changed back to mail with:

$ su -

Password: # chgrp -Rc mail ~/mail # exit exit $

There may be other changes needed for other applications, so check the output of the chown command carefully.