Gentoo Archives: gentoo-user

From: ubiquitous1980 <nixuser1980@×××××.com>
To: gentoo-user@l.g.o
Subject: Re: [gentoo-user] Manual pages (man pages) have ESC all through them when having used sudo.
Date: Sun, 28 Feb 2010 13:04:19
Message-Id: 4B8A69AF.8050408@gmail.com
In Reply to: Re: [gentoo-user] Manual pages (man pages) have ESC all through them when having used sudo. by pk
1 pk wrote:
2 > ubiquitous1980 wrote:
3 >
4 >
5 >>> http://lists.debian.org/debian-security/2006/07/msg00059.html
6 >>>
7 >
8 >
9 >> With "sudo su - " the man pages do not have ESC throughout. I have
10 >> learned sudo su from my ubuntu days and I am only guessing that this is
11 >> bad practice and that the correct command is $ sudo su -
12 >>
13 >
14 > No need to guess. Messing with superuser privileges without a proper
15 > superuser environment (paths etc.) is considered bad from a security
16 > point of view; for instance, an malicious application could be installed
17 > in your user home dir, prepend the path to this to your local user $PATH
18 > and whenever you do "su" (without -) you could invoke this app with
19 > superuser privileges...
20 > So to summarize: The link above (debian.org) explains it quite well and
21 > yes, I would say it's a bad habit to omit -. :-)
22 >
23 > Best regards
24 >
25 > Peter K
26 >
27 >
28 Investigated this further...
29
30 With su, PATH=/sbin:/bin:/usr/sbin:/usr/bin
31
32 With sudo su, PATH=/sbin:/bin:/usr/sbin:/usr/bin
33
34 With sudo su -,
35 PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/opt/bin:/usr/x86_64-pc-linux-gnu/gcc-bin/4.3.4:/usr/lib64/subversion/bin
36
37 This final PATH is the same as my user's account. I thought that this
38 would be the other way around, and that with $ sudo su - I would expect
39 the normal root path as to prevent a malicious program settinga path
40 and allowing execution without identifying its specific location at the CLI.
41
42 Perhaps I am confused.
43
44 Thanks
45
46 Damien