Hi Ingo, Thanks for your detailed explanation!
Best Regards Nan Xiao On Wed, Jun 12, 2019 at 4:55 PM Ingo Schwarze <[email protected]> wrote: > > Hello Nan Xiao, > > Nan Xiao wrote on Wed, Jun 12, 2019 at 02:19:08PM +0800: > > > I read su manual (https://man.openbsd.org/su.1), but can't find words > > which said if no account is provided, root is the default. > > The BUGS section says so indirectly, but i agree that is not sufficient. > A manual page ought to explain the behaviour of a utility explicitly > and in the DESCRIPTION section. All the more so for aspects as important > as the one you are talking about. > > > But for > > doas(https://man.openbsd.org/doas.1), it has following words: > > > > -u userExecute the command as user. The default is root. > > > > I am not a nitpicker, just curious whether I miss something? Thanks! > > In OpenBSD, we do not regard it as nitpicking when people point out > bugs in manual pages. We regard bugs in manual pages just as much as > bugs as bugs in code. We insist that manual pages have to be correct, > complete, and concise. > > Consequently, your report is very much appreciated and i committed > the bugfix shown below. > > Thank you, > Ingo > > > P.S. > The reason this particular bug was able to survive for so long appears > to be that su(1) has been obsolete as a tool for getting a root shell > for a very long time. For that purpose, it is less secure than sudo(1) > used to be, and even sudo(1) was swapped out of OpenBSD because > something simpler like doas(1) is even more secure unless you really > need the additional functionality. And even then, if possible, > getting your task done in a simpler way that doas(1) can handle may > provide a security benefit. > > Even though su(1) can still be used today to relinquish privilege > when you are already root, no more development is done on it and people > rarely look at the manual page. The last time new functionality was > added to the su(1) manual page was almost a decade ago, and the > last time before that 17 years ago. > > Even though UNIX manual pages were always high quality documentation, > two decades ago, they weren't fully up to modern OpenBSD quality > standards yet. > > > CVSROOT: /cvs > Module name: src > Changes by: [email protected] 2019/06/12 02:29:17 > > Modified files: > usr.bin/su : su.1 > > Log message: > when "login" is not specified, "root" is used; > omission reported by Nan Xiao <xiaonan830818 at gmail dot com> on misc@ > > > Index: su.1 > =================================================================== > RCS file: /cvs/src/usr.bin/su/su.1,v > retrieving revision 1.31 > retrieving revision 1.32 > diff -u -r1.31 -r1.32 > --- su.1 30 Jul 2015 08:03:49 -0000 1.31 > +++ su.1 12 Jun 2019 08:29:17 -0000 1.32 > @@ -49,6 +49,11 @@ > .Nm > utility allows a user to run a shell with the user and group ID of another > user > without having to log out and in as that other user. > +If the target > +.Ar login > +name is not specified, > +.Dq root > +is used. > .Pp > By default, the environment is unmodified with the exception of > .Ev LOGNAME ,
