Why use "su -" rather than "su"

Sun Jul 17 07:13:31 UTC 2005

On Sat, 2005-07-16 at 13:14 -0400, Tony Nelson wrote:
> At 1:27 PM +0100 7/16/05, Timothy Murphy wrote:
> >John Bray wrote:
> >
> >> and in any case, no matter if it is to root or another user, the -
> >> guarantees you've picked up that user's entire environment.  again, it's
> >> the key to having consistent behavior when you are being that user, root
> >> or otherwise.
> >
> >Could you give an example where the difference matters?
> >(I usually say "su -" but I'm not really sure why.
> >When I forget it never seems to cause any problem.)
> 
> The user you su from has put . in the path.  A bad guy (maybe the
> mischievous user) put a file named ls in the current directory.  You do su.
> You type ls.  Something happens.
> 
> The path settings are different, so you may need to remember where commands
> are stored.  su - lets you "be" root without being distracted by extra
> details that aren't relevent to the normal danger of being root.  You make
> an unnecessary mistake, such as typing rm -rf / usr/bin/foo.
> 
> None of this matters if you have faith in the user and faith that there
> can't be any malware on your system.

i think that there are several issues that get involved with this.
while it's true that perhaps many programs run as root will do the
expected thing, that is not always true.  particularly since some
programs have had two versions -- one in bin and one in sbin.  not
common, but i've sure seen it before.

when some program behaves differently because of something that is not
in the environment, but would have been in root's environment, you can
spend large amounts of time trying to figure out what went wrong, why,
and how to fix it.

i've been admining *nix systems since about 1980, and it's not uncommon
for root's environment to have extra stuff set up in it that is not done
for normal users.  while PATH and some other stuff is easily worked
around, there may be environmental variables set for root that are not.
and, particularly, given out fast FC/linux is changing and growing, new
ones may show up at any time.

i noticed that the non - version of su in FC4 changes $HOME.  that's a
pretty uncommon situation in my experience.  it does not, however change
either USER or MAIL to be for root.  and, it's not intended to do that
sort of thing in the non - version.

most of using the - version of su when you are su'ing to root, or any
user for that matter, is to be sure that you have a consistent
environment and that ALL things work as expected.

you can certainly get away without using a dash sometimes.  but, the
problem is that you just never know when something changed that would
have depended on some environmental setting only in root.

its one of those things where you can sometimes get away with an
incomplete root environment.   but, eventually it WILL bite you.  and,
likely when it does bite you, it'll be in some very odd, hard to find
way.

true confession time -- i once foolishly put a grep in my bin -- yes, i
named a local file with a system program name.  it was grep.  i turned
on the -i switch to make it easier grepping for constants in a large
system.  but the software delivery tool didn't pick up a standard
environment.  and it picked up my grep.  which broke it badly.  two
lessons learned from that -- PATH must be set to some standard one.
and... NEVER put up a script or whatnot named the same as a system
program.

here's a classic case of how to realllly screw up.  su - to root.  echo
$PATH
note that some dolt has managed to set root's path to
include /usr/local/bin BEFORE the official sbins!  want to guess how
this stupidity is eventually going to bite us all?  :-(

all you have to do is put something in /usr/local/bin that has the same
name as something in /sbin and root will never see the official version.

and it gets you even if you DO su - to root!  

this isn't something that the root environment will fix -- it's the root
environment that is screwed up in FC3/FC4 just now.

but, you can go into root's bash startup stuff and force it to a more
proper path.  then the su - might just save your butt big time!

so su - is not a panacea, but it can help to reduce the chances of
unexpected things happening.

john