Re: New su behavior in util-linux 2.32
On 2018-08-12 00:13:31 +, Dale Forsyth wrote: > > From: Pétùr > Sent: Saturday, 11 August 2018 7:41 PM > To: debian-user > Subject: New su behavior in util-linux 2.32 > > Using 'su' generates now an path error when launching programs such as > 'shutdown'. The cause is a new behavior described below. > --- > util-linux (2.32-0.4) unstable; urgency=medium > > The util-linux implementation of /bin/su is now used, replacing the > one previously supplied by src:shadow (shipped in login package), and > bringing Debian in line with other modern distributions. The two > implementations are very similar but have some minor differences (and > there might be more that was not yet noticed ofcourse), e.g. > > - new 'su' (with no args, i.e. when preserving the environment) also > preserves PATH and IFS, while old su would always reset PATH and IFS > even in 'preserve environment' mode. > - su '' (empty user string) used to give root, but now returns an error. > - previously su only had one pam config, but now 'su -' is configured > separately in /etc/pam.d/su-l > > The first difference is probably the most user visible one. Doing > plain 'su' is a really bad idea for many reasons, so using 'su -' is > strongly recommended to always get a newly set up environment similar > to a normal login. If you want to restore behaviour more similar to > the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs. > --- And this is illogical: the default behavior cannot be a bad idea. If the current behavior is really bad, then 'su' should behave like 'su -'. > The new 'su' is useless for me because it cannot launch root program. I have no such problem, though. -- Vincent Lefèvre - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
Re: New su behavior in util-linux 2.32
On 2018-08-13 14:06 +0100, Darac Marjal wrote: > Actually, util-linux is distributed by the Linux Kernel Organization > (i.e. the folks at kernel.org). So, yes, Debian has to match what Red > Hat does inasmuch as Red Hat uses a Linux kernel and so does > Debian. It just makes sense to use the kernel-provided kernel > utilities. > > As an aside, I don't know what the situation is with the *BSD > Debians. They presumably don't use util-linux, so I *guess* they're > still using su from src:shadow? No, kfreebsd and hurd also use util-linux and its su implementation. While not all programs in the util-linux suite work on non-Linux architectures, many of them do. https://sources.debian.org/src/util-linux/2.32.1-0.1/debian/util-linux.install/ Cheers, Sven
Re: New su behavior in util-linux 2.32
On Mon, Aug 13, 2018 at 08:43:12AM -0400, Greg Wooledge wrote: On Sat, Aug 11, 2018 at 11:41:34AM +0200, Pétùr wrote: The new 'su' is useless for me because it cannot launch root program. I did the modification in /etc/login.defs and restore the previous behavior. However I am concern with the statement " Doing plain 'su' is a really bad idea for many reasons". Could someone explain to me why this is a bad behavior? It's not what Red Hat does, and therefore "oh, we have to change to match what Red Hat does". Actually, util-linux is distributed by the Linux Kernel Organization (i.e. the folks at kernel.org). So, yes, Debian has to match what Red Hat does inasmuch as Red Hat uses a Linux kernel and so does Debian. It just makes sense to use the kernel-provided kernel utilities. As an aside, I don't know what the situation is with the *BSD Debians. They presumably don't use util-linux, so I *guess* they're still using su from src:shadow? Never mind the fact that it's a completely stupid, intrusive, pointless change that breaks the behavior that has been working properly in Debian for decades. Who cares about things working properly, or backward compatiblity, or common sense? GOTTA MATCH RED HAT! Change should be acceptable IF there is a good reason for it. I'll agree, though, that it's not really been well-communicated how "su -" is better than "su" and why, apparently, the meaning of the two have been swapped over. But if the point is to make things more secure, then that's a perfectly acceptable reason for breakage. Users will be confused? SCREW 'EM! GOTTA MATCH RED HAT! Scripts will break? SCREW 'EM! GOTTA MATCH FUCKING RED HAT! The only reason anyone would think that "plain su is bad" is because they had to work with Red Hat systems (or perhaps certain BSD-based systems) where plain su behaves the way testing's su behaves, and they got used to it. -- For more information, please reread. signature.asc Description: PGP signature
Re: New su behavior in util-linux 2.32
On Sat, Aug 11, 2018 at 11:41:34AM +0200, Pétùr wrote: > The new 'su' is useless for me because it cannot launch root program. > I did the modification in /etc/login.defs and restore the previous > behavior. However I am concern with the statement " Doing plain 'su' > is a really bad idea for many reasons". > > Could someone explain to me why this is a bad behavior? It's not what Red Hat does, and therefore "oh, we have to change to match what Red Hat does". Never mind the fact that it's a completely stupid, intrusive, pointless change that breaks the behavior that has been working properly in Debian for decades. Who cares about things working properly, or backward compatiblity, or common sense? GOTTA MATCH RED HAT! Users will be confused? SCREW 'EM! GOTTA MATCH RED HAT! Scripts will break? SCREW 'EM! GOTTA MATCH FUCKING RED HAT! The only reason anyone would think that "plain su is bad" is because they had to work with Red Hat systems (or perhaps certain BSD-based systems) where plain su behaves the way testing's su behaves, and they got used to it.
Re: New su behavior in util-linux 2.32
https://www.mycause.com.au/page/183259/a-smile-will-change-a-day-love-that-changed-my-world From: Pétùr Sent: Saturday, 11 August 2018 7:41 PM To: debian-user Subject: New su behavior in util-linux 2.32 Using 'su' generates now an path error when launching programs such as 'shutdown'. The cause is a new behavior described below. --- util-linux (2.32-0.4) unstable; urgency=medium The util-linux implementation of /bin/su is now used, replacing the one previously supplied by src:shadow (shipped in login package), and bringing Debian in line with other modern distributions. The two implementations are very similar but have some minor differences (and there might be more that was not yet noticed ofcourse), e.g. - new 'su' (with no args, i.e. when preserving the environment) also preserves PATH and IFS, while old su would always reset PATH and IFS even in 'preserve environment' mode. - su '' (empty user string) used to give root, but now returns an error. - previously su only had one pam config, but now 'su -' is configured separately in /etc/pam.d/su-l The first difference is probably the most user visible one. Doing plain 'su' is a really bad idea for many reasons, so using 'su -' is strongly recommended to always get a newly set up environment similar to a normal login. If you want to restore behaviour more similar to the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs. --- The new 'su' is useless for me because it cannot launch root program. I did the modification in /etc/login.defs and restore the previous behavior. However I am concern with the statement " Doing plain 'su' is a really bad idea for many reasons". Could someone explain to me why this is a bad behavior? Pétùr
Re: New su behavior in util-linux 2.32
On 2018-08-11, Pétùr wrote: > Le 11/08/2018 à 16:03, Curt a écrit : >> There was a lengthy discussion, but within it I don't remember anyone >> detailing the numerous reasons (or any reason at all) executing plain >> 'su' is a "really bad idea," (where I'm reading "really bad idea" to >> mean having unintended and very detrimental consequences to the >> hapless user). > > Sorry I missed the discussion (it was during my vacation). I read it > quickly and, indeed, there is no proper explanation why old "su" is > dangerous to use or a bad idea. > > No one said the old su was dangerous or a bad idea. The new su came about because "all other distributions are using the implementations from util-linux." https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833256 What was said here (in the NEWS or NOTES or some official document quoted in this thread) was that executing "su" without any arguments rather than "su -" was a very bad idea (so that those bitten by the fact the new, improved su doesn't reset the PATH are kind of getting what they deserve anyway for being ignorant). -- "She was a blank wall, fresh painted." Louise Erdrich, Love Medicine
Re: New su behavior in util-linux 2.32
Le 11/08/2018 à 13:42, Nicolas George a écrit : > Pétùr (2018-08-11): >> The new 'su' is useless for me because it cannot launch root program. > Maybe learn how to use $PATH? If I modify $PATH for the new "su", I basically re-implement the old behavior of "su". This is exactly what adding 'ALWAYS_SET_PATH yes' in /etc/login.defs does (and I did that). My question was not to modify new "su" but why old "su" is bad practice.
Re: New su behavior in util-linux 2.32
Le 11/08/2018 à 16:03, Curt a écrit : > There was a lengthy discussion, but within it I don't remember anyone > detailing the numerous reasons (or any reason at all) executing plain > 'su' is a "really bad idea," (where I'm reading "really bad idea" to > mean having unintended and very detrimental consequences to the > hapless user). Sorry I missed the discussion (it was during my vacation). I read it quickly and, indeed, there is no proper explanation why old "su" is dangerous to use or a bad idea.
Re: New su behavior in util-linux 2.32
> > There was a lengthy discussion, but within it I don't remember anyone > detailing the numerous reasons (or any reason at all) executing plain > 'su' is a "really bad idea," (where I'm reading "really bad idea" to > mean having unintended and very detrimental consequences to the > hapless user). > I think i missed that discussion, will catch that later. I would like to suggest that instead of showing only "Doing plain 'su' is a really bad idea for many reasons" on the NEWS file, one should add some external reference on why it is a bad idea, because most probably the user using only "su" is not aware of why it's bad and is left empty handed on the reasons (obviously they can search online, but that doesn't mean we can't show the reasoning behind that on NEWS). I'd really like if Stretch users also received an external URL for reference or a proper explanation on why this is bad during the Stretch->Buster upgrade. There was a lengthy discussion, but within it I don't remember anyone > detailing the numerous reasons (or any reason at all) executing plain > 'su' is a "really bad idea," (where I'm reading "really bad idea" to > mean having unintended and very detrimental consequences to the > hapless user). I don't think it's a good idea to expect users to search for that discussion when they see the NEWS file, we should assume that at the least they will continue to try using "su" and fallback to "su -" when something goes wrong, without ever looking for the reasons (and that is what is actually happening with Brazilian users right now). -- Samuel Henrique
Re: New su behavior in util-linux 2.32
On 2018-08-11, Stefan Krusche wrote: >> >> The first difference is probably the most user visible one. Doing >> plain 'su' is a really bad idea for many reasons, so using 'su -' is >> strongly recommended to always get a newly set up environment similar >> to a normal login. If you want to restore behaviour more similar to >> the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs. >> --- >> >> The new 'su' is useless for me because it cannot launch root program. >> I did the modification in /etc/login.defs and restore the previous >> behavior. However I am concern with the statement " Doing plain 'su' >> is a really bad idea for many reasons". >> >> Could someone explain to me why this is a bad behavior? >> >> Pétùr > > Hello Pétùr, > > only recently until a couple days ago there was a lengthy discussion about > just > that. Have you missed that? Have a look in the archives for a subject line > like > this: "use of su vs sudo" ... There was a lengthy discussion, but within it I don't remember anyone detailing the numerous reasons (or any reason at all) executing plain 'su' is a "really bad idea," (where I'm reading "really bad idea" to mean having unintended and very detrimental consequences to the hapless user). > Kind regards, > Stefan > > -- "She was a blank wall, fresh painted." Louise Erdrich, Love Medicine
Re: New su behavior in util-linux 2.32
Pétùr (2018-08-11): > The new 'su' is useless for me because it cannot launch root program. Maybe learn how to use $PATH? Regards, -- Nicolas George signature.asc Description: Digital signature
Re: New su behavior in util-linux 2.32
Am Samstag 11 August 2018 schrieb Pétùr: > Using 'su' generates now an path error when launching programs such as > 'shutdown'. The cause is a new behavior described below. --- > util-linux (2.32-0.4) unstable; urgency=medium > > The util-linux implementation of /bin/su is now used, replacing the > one previously supplied by src:shadow (shipped in login package), and > bringing Debian in line with other modern distributions. The two > implementations are very similar but have some minor differences (and > there might be more that was not yet noticed ofcourse), e.g. > > - new 'su' (with no args, i.e. when preserving the environment) also > preserves PATH and IFS, while old su would always reset PATH and IFS > even in 'preserve environment' mode. > - su '' (empty user string) used to give root, but now returns an error. > - previously su only had one pam config, but now 'su -' is configured > separately in /etc/pam.d/su-l > > The first difference is probably the most user visible one. Doing > plain 'su' is a really bad idea for many reasons, so using 'su -' is > strongly recommended to always get a newly set up environment similar > to a normal login. If you want to restore behaviour more similar to > the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs. > --- > > The new 'su' is useless for me because it cannot launch root program. > I did the modification in /etc/login.defs and restore the previous > behavior. However I am concern with the statement " Doing plain 'su' > is a really bad idea for many reasons". > > Could someone explain to me why this is a bad behavior? > > Pétùr Hello Pétùr, only recently until a couple days ago there was a lengthy discussion about just that. Have you missed that? Have a look in the archives for a subject line like this: "use of su vs sudo" ... Kind regards, Stefan
New su behavior in util-linux 2.32
Using 'su' generates now an path error when launching programs such as 'shutdown'. The cause is a new behavior described below. --- util-linux (2.32-0.4) unstable; urgency=medium The util-linux implementation of /bin/su is now used, replacing the one previously supplied by src:shadow (shipped in login package), and bringing Debian in line with other modern distributions. The two implementations are very similar but have some minor differences (and there might be more that was not yet noticed ofcourse), e.g. - new 'su' (with no args, i.e. when preserving the environment) also preserves PATH and IFS, while old su would always reset PATH and IFS even in 'preserve environment' mode. - su '' (empty user string) used to give root, but now returns an error. - previously su only had one pam config, but now 'su -' is configured separately in /etc/pam.d/su-l The first difference is probably the most user visible one. Doing plain 'su' is a really bad idea for many reasons, so using 'su -' is strongly recommended to always get a newly set up environment similar to a normal login. If you want to restore behaviour more similar to the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs. --- The new 'su' is useless for me because it cannot launch root program. I did the modification in /etc/login.defs and restore the previous behavior. However I am concern with the statement " Doing plain 'su' is a really bad idea for many reasons". Could someone explain to me why this is a bad behavior? Pétùr