[systemd-devel] logind, su - sessions and initscripts compatibility
mbiebl at gmail.com
Thu Dec 18 06:46:06 PST 2014
2014-12-18 13:19 GMT+01:00 Simon McVittie <simon.mcvittie at collabora.co.uk>:
> On 18/12/14 08:05, Andrei Borzenkov wrote:
>> Any initscript that is using "su -" would [cause badness]
> Don't do that then? Init scripts are fairly clearly not login sessions.
> Which init scripts do that?
> In Debian, our init scripts would typically use "start-stop-daemon
> --chuid whateveruser --start whateverd" instead of su. Does your
> distribution have an equivalent?
> I'm gradually forming the opinion that su should be considered
> deprecated for both its roles (interactive privilege
> escalation/privilege-dropping for one-off commands or interactive
> shells, and automated uid swapping), because it doesn't do either of
> them particularly well; in particular, it doesn't sanitize environment
> variables by default (you have to remember the "-" which has other
> side-effects), and the need for the command to be a shell command-line
> rather than an argument vector makes it hard to use securely.
I remember that util-linux added a "runuser" utility  which is
supposed to be more suitable to run processes under certain gid/uids
from within scripts.
Why is it that all of the instruments seeking intelligent life in the
universe are pointed away from Earth?
More information about the systemd-devel