Hello again, Only focusing on su for this mail, have now studied the previously spotted differences between util-linux and shadow in more detail...
TL;DR NEWS.Debian entry and ignoring the difference is probably safe. More details below.... Feedback very welcome! > > # su I was told by util-linux upstream that there was previously a difference in goals, where shadow would care about historical things like systems that did not have PAM. I interpret this that there's no real interest in introducing these legacy things in util-linux, so in case anyone wants to preserve those it's probably better to continue the shadow (upstream) implementations for that. This isn't as I can see anything to be considered in Debian though. > > The util-linux version supports all command-line options listed in > shadow su manpage. Possible slight implementation details might > differ for example in -p (needs investigation). > > The util-linux version does not support the following shadow su > login.defs variables: > > CONSOLE_GROUPS Manpage description makes this sound like a bad idea to implement. Looking at source: http://sources.debian.net/src/shadow/1:4.4-2/src/su.c/#L1089 http://sources.debian.net/src/shadow/1:4.4-2/libmisc/setugid.c/#L132 ... and build logs: https://buildd.debian.org/status/fetch.php?pkg=shadow&arch=amd64&ver=1%3A4.4-2&stamp=1484851064&raw=0 It seems that HAVE_INITGROUPS is true and USE_PAM is also true, making the preprocessor condition false which mean we don't build with CONSOLE_GROUPS support in Debian shadow su. The login.defs manpage should probably document this setting is not considered when PAM is enabled (which would be extremely common these days). => CONSOLE_GROUPS (non-)existance can safely be ignored. > DEFAULT_HOME util-linux has the opposite default (only warn), and doesn't support manual configuring this setting. http://sources.debian.net/src/util-linux/2.29.1-1/login-utils/su-common.c/#L979 Might be useful to implement support for this setting in util-linux. Question remains about default, maybe implement a configure time setting for the default? How much do we really care about this setting though? I personally don't think this is a blocker (for su - for login it would be important to support it), would rather consider it a wishlist feature request than anyone is free to submit a patch to upstream for if they want to see it supported. => consider as potential wishlist-severity feature request if anyone is interested?! > SULOG_FILE It seems shadow had the intention for *optional* support of syslog (but it's actually always enabled at compile-time and configurable at runtime), and non-optional support for built-in logging system. This is likely something we want the opposite way around in a modern system, so I'd advocate for deprecating this option if we move to util-linux su. => consider deprecated?! (Possibly implement a warning on upgrades on systems which has it set?) > SU_NAME This seems like a pretty superficial feature to me. (Note: messing with argv0 also seems to cause problems when busybox is being used as /bin/sh as experienced by OpenEmbedded.) => consider deprecated?! > SYSLOG_SU_ENAB In util-linux syslog logging is mandatory. I don't see a reason to be able to switch it off. => consider deprecated?! ---- Also note the following su related patches carried in Debian shadow package: http://sources.debian.net/src/shadow/1:4.4-2/debian/patches/523_su_arguments_are_concatenated/ http://sources.debian.net/src/shadow/1:4.4-2/debian/patches/523_su_arguments_are_no_more_concatenated_by_default/ Both seems obsolete (the second one even says to be dropped after etch which was released 2007). (Also pbuilder seems to have switched from su to start-stop-daemon.) Regards, Andreas Henriksson