SC> Try SC> sudo env -i SHELLOPTS=xtrace su -p - nobody (I don't use sudo) uid=0(root) gid=0(root) groups=0(root) # env -i SHELLOPTS=xtrace su -p - nobody + PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games + '[' /bin/sh ']' + PS1='[EMAIL PROTECTED]:\w\$ ' + export PATH + umask 022 [EMAIL PROTECTED]:/root$ kill -1 $$ + kill -1 6215 # env -i SHELLOPTS=xtrace su -p - nobody + PATH=/usr/local/bin:/usr/bin:/bin:/usr/bin/X11:/usr/games + '[' /bin/sh ']' + PS1='[EMAIL PROTECTED]:\w\$ ' + export PATH + umask 022 [EMAIL PROTECTED]:/root$ logout #
Above on my first attempt the shell stayed alive, so I typed kill -1 $$ (instead of exit, so it would be clear that I typed it, as that is something the "magic hand" never uses.) On the second and later attempts, some magic hand typed "logout" for me. The magic hand also sometimes types "exit"... SC> nobody's shell is sh (being bash) or bash, right? SC> $ getent passwd nobody SC> nobody:x:65534:65534:nobody:/nonexistent:/bin/sh Same here. SC> $ dpkg -S "$(command -v su)" SC> login: /bin/su Same here. $ ls -og /bin/sh lrwxrwxrwx 1 4 2008-04-29 07:04 /bin/sh -> bash SC> Which su is your su? Is it using PAM? SC> $ ldd /bin/su same here except for the hex numbers. SC> $ grep '^[^#]' /etc/pam.d/su Same here. SC> (also check the included files). Never touched them. $ cd /etc/pam.d&&find * -atime -1 -type f|xargs ls -og -rw-r--r-- 1 392 2005-07-26 16:48 common-account -rw-r--r-- 1 436 2005-07-26 16:48 common-auth -rw-r--r-- 1 1097 2005-07-26 16:48 common-password -rw-r--r-- 1 372 2005-07-26 16:48 common-session -rw-r--r-- 1 289 2005-07-05 22:45 cron -rw-r--r-- 1 2843 2006-09-17 15:22 login -rw-r--r-- 1 520 2003-09-01 06:21 other -rw-r--r-- 1 2305 2006-07-14 19:05 su -rw-r--r-- 1 289 2007-08-13 23:54 xdm The only thing I tampered with is probably just making a $ ls -og /etc/environment -rw-r--r-- 1 0 2008-05-02 03:37 /etc/environment to stop the warning in /var/log/auth.log if it is absent. The pam stuff came with my Debian sid installation and apt-get says removing it "should NOT be done unless you know exactly what you are doing!" i.e., not me, so I dare not touch it.
