Hello,
If we are going to give people examples of using su we should, by example, show security conscious good practice.
Just using su is trusting that your $PATH is what you think it is.
Is it?
You probably don't have time to check and you are probably wondering: why make a fuss?
After years of working as a professional ethical hacker and compromised system investigator and malware forensic analyst, I can tell you that hackers who can gain access to your account can trivially plant a "doctored" su, sudo, passwd (or any other command where you would be typing in a password). They can then very simply modify where you set your $PATH so when you type "su" it actually runs ${HOME}/bin/spoofed/su (or similar).
The spoofed su will look and behave exactly like the real su except it will do something like accept the password, email it to the hacker, then print an error message "su: Authentication failure", then it will re-name spoof/su (as spoof/su-) so the next time the user runs "su" they run the real "su".
How do I know this?
I have successfully penetrated systems and gained root in commercial server farms (doing management approved security testing) using exactly this simple method.
So, what is the "security conscious good practice" I mentioned?
| Very simple: always (and make it a habit to) use: /bin/su not just su. |
Same goes for any command involving passwords(sudo, passwd, etc).
I think our Mageia documentation should show good security practices.
morgano (talk) 07:05, 10 April 2023 (UTC)
I think it would be good to add this information on this page ( use /bin/su - ).
We also already explain that for sudo at Configuring_sudo#tip_3:_always_use_full_pathname_for_commands_prompting_for_passwords
People who want that level than can find the information.
Then the issue of lazyness - I know this but still seldom type "/bin/", but then I dont run server and am not very dependant on my computers...
It could help if we edit all examples of su and sudo to include "/bin/" path, so we and other users see it used everywhere.
sturmvogel (talk) 08:06, 10 April 2023 (UTC) No other Linux distribution messes up their wiki or official doc in this way. If somebody wants to do such nonsense, a dedicated wiki page would make more sense. Such like "Increased (paranoid) security measures" or smt like that...
LOLz! That is really good news: as long as there are people like sturmvogel around who ignore rational discussion and don't give a sh?t about security there will be people like me around who can trivially get their root password.
Vielen dank! Mu-ha-ha-ha. ;-)
sturmvogel (talk) 17:05, 11 April 2023 (UTC)As long as there are people around who don't even know how to properly edit a wiki...and believe that they have the master knowledge about security concepts...nobody has to fear anything ;) And instead of complaining that nobody reads your stuff, you could already have implemented your stuff into the wiki. Or do you wait that others do the work for you?
morgano (talk) 19:18, 11 April 2023 (UTC) I think it is good to discuss before changing such style. Can we agree on describing the practise of using full path on his su page, like on the sudo page? An then leave up to the user to decide to use it. And authors of wiki pages can use full path or not, maybe depending on situation (i.e server)
