On 06/12/2014 09:15 AM, Ken Schneider - openSUSE wrote:
It's all about the $ENV Basil. To test this use 'su', enter roots password, and type "env" and then (after you exit using CTRL-d) use 'su -', enter root's password, and type "env". Compare the two lists and you will find many differences, chief among them will be the $PATH result.
Perhaps another way of looking at it is the difference between merely escalating authority and creating a new login environment. If you look at the man page for the shell it talks of the login shell A login shell is one whose first character of argument zero is a -, or one started with the --login option. Perhaps you should read the rest of that section. A RTFM of SU(1) also mentions: -, -l, --login Starts the shell as login shell with an environment similar to a real login: o clears all environment variables except for TERM o initializes the environment variables HOME, SHELL, USER, LOGNAME, PATH o changes to the target user's home directory o sets argv[0] of the shell to '-' in order to make the shell a login shell And of course that last line brings us back to the section in the man page for the shell that I mentioned above. Of course the matter of a password when using 'sudo' or even 'su' is just another configuration issue. If the user is a member of the wheel group and the /etc/sudoers file and the file /etc/pamd.d/su and/or /etc/pamd.d/sudo have been configured correctly then no password is required or the user's own password rather than the root password can be required. The issue here is 'this is Linux' so it is configurable. The 'wheel group' is something that Berkeley UNIX came up with about 35 years ago to address the issue of having multiple sysadmins without disclosing the root password. The policy was that all admins had the same universal power. If you look at how the wheel group is implemented (see PAM_WHEEL(8)) then it is easy to see that this mechanism can be generalized and applied to more restrictive administrative powers. For example, you can set up a group than can add new users by inserting the pan_wheel entry in /etc/pam.d/useradd with the parameter of the group created for that purpose. PAM is very powerful and very flexible. Take a look also as PAM_LISTFILE(8) That being said, the same could be done with sudo and to a large degree simply by the proper use of access controls and groups. Steve Simmons presented a paper "Live Without Root" back at LISA in 1990. Although he describes a very specific set of circumstances I have applied this for such things as printer administration in a AIX setting. Of course it helps if one can draw Venn diagrams :-) http://www-personal.umich.edu/~scs/TechWriting/rootless.html http://www.ussrback.com/docs/papers/unix/noroot.ps -- /"\ \ / ASCII Ribbon Campaign X Against HTML Mail / \ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org