Women in Technology

Hear us Roar



Article:
  Top Ten Mac OS X Tips for Unix Geeks
Subject:   sudo and su pitfall (re #2)
Date:   2002-10-25 15:47:05
From:   anonymous2
I used to use sudo all the time, but now I exclusively use "su -". Here's why I don't use sudo or su without the "-":


1) If you sudo is set so it won't ask for your
password unless you haven't used su for 10
minutes, what happens if a couple of minutes
after you intentionally run sudo to do
something, you run a script or binary that
contains (perhaps deep inside it, either
accidentally or maliciously):


sudo SOMETHING_REALLY_DANGEROUS


I belive the command will run without any
warning. I'd prefer to avoid that
possiblity.


2) I don't omit the "-" in "su - root" because
without the dash you may not get a
completely clean root envt. This can
surprise you if (for example) if you
normally set your umask at 007 (for
security or whatever) and then you run
"su root" to do something. If you expected
the root command to run with root's normal
umask of 002, it may well not -- "su root"
may run using bits of your normal user
envt -- to what extent this happens, and
under what conditions may be dependent on
your shell, shell startup scripts, os, and
version of su, and I'd rather be safe than
sorry.


One time I ended up realizing after a
complex install on a unix system, that
many files had the wrong "other" permissions
because "su root" had given root my 007
umask, not 002. Cleaning this up was a
pain.


And of course, having root inherit your user
PATH could be downright dangerous.


FWIW.