From Mageia wiki
Jump to: navigation, search
(Never use the command su without the --login option)
 
m (Morgano moved page Never use "su"! to Never use "su": Remove exclamation mark)
(No difference)

Revision as of 01:22, 10 November 2020

this page is a draft.
It requires improvements. If you want to improve it, simply log in and click on the Edit tab.

Please remove this {{Draft}}template, when you're sure the page is complete and correct.


View the other draft pages, or other pages to improve and maintain.

Using the command "su" to obtain root privileges is extremely risky, and may cause problems later that are not easily debugged if you are not familiar with the dangers.

Instead, when root privileges are needed, use "su --login", which may be abbreviated as "su -l", or just "su -".

To understand the difference and the danger of using just "su", without the hyphen, start with the man page for su. From that page, adding the --login option makes the su command different in that it ...

 Start the shell as a login shell with an environment similar to a real login:
 - clears all the environment variables except TERM and variables specified by --whitelist-environment
 - initializes the environment variables HOME, SHELL, USER, LOGNAME, and PATH
 - changes to the target user's home directory
 - sets argv[0] of the shell to '-' in order to make the shell a login shell

The environment variables still referring to the original login id (tester in this case), instead of the root user ...

$ su
Password: 
# env|grep tester|sort
LOGNAME=tester
MAIL=/var/spool/mail/tester
PWD=/home/tester
SCREENDIR=/home/tester/tmp
USER=tester
# exit
exit
$ su -
Password: 
# env|grep tester|sort
#

What makes using su without the login option dangerous is that many programs use those environment variables to control where they store files they use. If a program is run that updates a file stored in ~/.config, then the configuration file for that program in the users .config directory will become owned by root.

Later, after exiting from the su root privilege, if the user tries to run that same program and does something that causes it try to update its .config file, it will fail since the regular user can not update files owned by root.

The root owned files in the user's home directory will eventually cause problems that may be very difficult to debug.

Always remember to use "su -", never just "su".

If the mistake has already been made, it can be fixed with ...

su -
chown -Rc tester:tester /home/tester

The option c for the chown causes the command to show the changes it has made. If imap is used for mail, the mail directory will need to have it's group changed back to mail with

chgrp -Rc mail ~/mail

There may be other changes needed for other applications, so check the output of the chown command carefully.