On Monday, November 12, 2012 17:41:49, Adam wrote: > dragorn wrote: > > On Mon, Nov 12, 2012 at 12:25:51PM -0500, Adam wrote: > >> It just seems strange to me that the same command (even if unlikely > >> and unsafe) should produce different yet successful results under > >> different distros. > > > > Single quotes would get the root shell path, double would get the > > executing users path and has nothing to do w/ sudo (as jack noted). > > But as I mentioned, with single quotes (as in the subject header) some > distros return the user's path, others return root's path. Even if it's > a command that shouldn't be counted on, I was surprised to see a > difference between distros. My test system has room for 7 different > distros, so I'm learning about other ways to do things in Linux than > "the Mandriva way".
Before you pointed out that Debian was behaving differently concerning the resulting path after an su, I occasionally noticed documentation about using 'su -' to bring in root's path rather than the users' path, but I never ran into a lack of having root's path when doing 'su' by itself rather than 'su -' on Debian and didn't know why. I think dragorn's got the right answer of it being concerns over possible exploits via the PATH. On Ubuntu users are expected to run root-level scripts/programs via sudo, and not use su because there's no root account -- while it's parent Debian tends to focus on using su more often than sudo. There are arguments as to which is "more secure", and I haven't seen a definitive conclusion on that. > > Sudo by default filters most/all environment variables, because it can > > be a huge security risk. Massively so if you have a multiuser system > > which uses restricted sudo to allow users to perform specific tasks > > (vs a single-user system like an ubuntu desktop which uses sudo to > > raise privs of the single owner) > > That answers another question I was going to ask someday, why some > distros allow an unprivileged user to "poweroff" but others require > privileges. Thanks! This is a similar problem -- because powering off the box is something that requires root-level privileges. This thus bumps into any additional security features that a particular distribution has -- or possibly the init system that's used. For instance normally on Debian a user within KDE4 can choose "Shut down" to power off the system; however this does /not/ work if the bootup init system is systemd -- when running systemd the user is instead logged out and brought back to the kdm login prompt, whereby the system /can/ be shutdown from there. So I agree with dragorn's answer of "because" on both of these, but I've added a bit of detail you can look into if you want. ;-) -- Chris -- Chris Knadle [email protected] _______________________________________________ Mid-Hudson Valley Linux Users Group http://mhvlug.org http://mhvlug.org/cgi-bin/mailman/listinfo/mhvlug Upcoming Meetings (6pm - 8pm) Vassar College Dec 5 - SysAdmin Panel Jan 9 - High Performance Computing Feb 6 - February Meeting
