Control: tags -1 + wontfix Hello Vincent Lefevre,
On Fri, Aug 24, 2018 at 05:17:34PM +0200, Vincent Lefevre wrote: > Package: util-linux > Version: 2.32.1-0.1 > Severity: important [...] > The fundamental problem is that it's not at all defined what "su" > without -l actually wants to be: (This is still unfixed/undefined AFAIK.) [...] > AFAICS, the behaviour of "su" without -l either needs to be properly > defined and fixed, or it should be completely deprecated, perhaps > making it do the same thing as -l. In my personal opinions 'su' should likely be deprecated in its entirety. Ofcourse that won't happen over night. There are lots of scripts to rewrite to use setpriv (and sometimes possibly runuser where suitable) instead of su. Lots of users to teach to always use sudo. Most likely there are also standards documents that needs to be adressed and revisioned. Your help welcome! ;) (FWIW, I'm thinking we should merge the setpriv package into util-linux and make setpriv command Essential. The reason we separated it out doesn't seem to apply anymore. A merge request would certainly be welcome!) [...] > First, the default behavior should never be discouraged: if there is > something wrong, then it should be fixed. [...] I normally very much agree, but as usual there's a bigger picture to take into account here. The entire existance of su today basically boils down to (obsolete?) standards adherence, backwards and sanity compatibility. Basically su is all about legacy. Secondly, the util-linux implementation is all about PAM, which allows you to configure the behaviour so that the application doesn't have to implement it in C code (as the old su implementation did for certain things). Unfortunately what we've seen here is that quite a few people have built up a habit of relying on debian-specific peculiarities which was very noticable when we switched. I've tried too gather the opinions of fellow maintainers and domain experts what we should choose when we can only pick one debian-legacy-compatibility and being more compatible with basically every other linux distribution. Everyone has pointed in the same direction, leaving the debian-peculiarities of su behind us. (There has also been some discussion about smoothing out some of the bumps by updating pam configurations, sometimes used in other distributions already. Again domain experts have suggested not doing it.) Please note hovever that plain 'su' was just as bad of an idea before we switched su implementation as it remains to be today. People simply need to learn to stop using su at some point (or keep shooting their own feet off until they learn). If you really want to help, I think the first best step would be to lobby the debian installer team to make the 'root password' prompt only show up in 'expert level' installs and thus giving everyone sudo installed and setup by default (as far too few users are aware of that they'll get today by leaving the root password prompt blank). Sorry, but I don't really see anything to fix in util-linux here (certainly not anything debian-specific, please discuss upstream changes on the upstream mailing list. A patch to make the su manpage easier to read for users would likely be warmly welcomed there). I'm thus tagging this wontfix. Hopefully my comments above atleast helps shine some light on the situation. Regards, Andreas Henriksson
