Package: util-linux Version: 2.32.1-0.1 Severity: important There's the following bug affecting many users:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=732209 It has been marked as wontfix with the following comment: ------------------------------------------------------------------------ The problem is not "gone" in any sense of the word -- which of the leaked environment variables do you want libpam-systemd to unset in su's stead? XDG_RUNTIME_DIR? DBUS_SESSION_BUS_ADDRESS? DESKTOP_SESSION? MAIL? XDG_CONFIG_DIRS? SSH_AUTH_SOCK? GPG_AGENT_INFO? The fundamental problem is that it's not at all defined what "su" without -l actually wants to be: Switching to a different user like a suid program? Then you need the *entire* environment and not change a few selected variables like $HOME only. Or be like "login"? Then you need to clean the env like su -l or sudo. Both of the latter have well-defined behaviour, whereas the current "su" has no conceptual or consistent (or safe) behaviour at all. [...] AFAICS, the behaviour of "su" without -l either needs to be properly defined and fixed, or it should be completely deprecated, perhaps making it do the same thing as -l. ------------------------------------------------------------------------ The su(1) man page is not helpful: For backward compatibility, su defaults to not change the current directory and to only set the environment variables HOME and SHELL (plus USER and LOGNAME if the target user is not root). It is recommended to always use the --login option (instead of its shortcut -) to avoid side effects caused by mixing environments. First, the default behavior should never be discouraged: if there is something wrong, then it should be fixed. Note also that backward compatibility has already been broken by systemd: things that were possible in the past are no longer possible due to environment variables like the XDG_* ones. Instead of recommending --login, it should be fixed to be a bit more like --login, but without the useless drawbacks. I mean that it should restrict to environment cleaning (in some direction or the other one). If the direction is to cleanup everything except some environment variables, then it should keep at least: * the user's locale settings, * COLUMNS, LINES (in case they are set), * LOGNAME, * TERM, TERMCAP and TERMINFO (to avoid a broken terminal), * probably TZ too. -- System Information: Debian Release: buster/sid APT prefers unstable-debug APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 4.17.0-3-amd64 (SMP w/12 CPU cores) Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages util-linux depends on: ii fdisk 2.32.1-0.1 ii libaudit1 1:2.8.3-1+b1 ii libblkid1 2.32.1-0.1 ii libc6 2.27-5 ii libmount1 2.32.1-0.1 ii libpam0g 1.1.8-3.8 ii libselinux1 2.8-1+b1 ii libsmartcols1 2.32.1-0.1 ii libsystemd0 239-7 ii libtinfo6 6.1+20180714-1 ii libudev1 239-7 ii libuuid1 2.32.1-0.1 ii login 1:4.5-1.1 ii zlib1g 1:1.2.11.dfsg-1 util-linux recommends no packages. Versions of packages util-linux suggests: ii dosfstools 4.1-2 ii kbd 2.0.4-4 ii util-linux-locales 2.32.1-0.1 -- no debconf information