Re: New su behavior in util-linux 2.32

2018-08-14 Thread Vincent Lefevre 
On 2018-08-12 00:13:31 +, Dale Forsyth wrote:
> 
> From: Pétùr 
> Sent: Saturday, 11 August 2018 7:41 PM
> To: debian-user
> Subject: New su behavior in util-linux 2.32
> 
> Using 'su' generates now an path error when launching programs such as 
> 'shutdown'. The cause is a new behavior described below.
> ---
> util-linux (2.32-0.4) unstable; urgency=medium
> 
>   The util-linux implementation of /bin/su is now used, replacing the
>   one previously supplied by src:shadow (shipped in login package), and
>   bringing Debian in line with other modern distributions. The two
>   implementations are very similar but have some minor differences (and
>   there might be more that was not yet noticed ofcourse), e.g.
> 
>   - new 'su' (with no args, i.e. when preserving the environment) also
> preserves PATH and IFS, while old su would always reset PATH and IFS
> even in 'preserve environment' mode.
>   - su '' (empty user string) used to give root, but now returns an error.
>   - previously su only had one pam config, but now 'su -' is configured
> separately in /etc/pam.d/su-l
> 
>   The first difference is probably the most user visible one. Doing
>   plain 'su' is a really bad idea for many reasons, so using 'su -' is
>   strongly recommended to always get a newly set up environment similar
>   to a normal login. If you want to restore behaviour more similar to
>   the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs.
> ---

And this is illogical: the default behavior cannot be a bad idea.
If the current behavior is really bad, then 'su' should behave
like 'su -'.

> The new 'su' is useless for me because it cannot launch root program.

I have no such problem, though.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Re: New su behavior in util-linux 2.32

2018-08-13 Thread Sven Joachim 
On 2018-08-13 14:06 +0100, Darac Marjal wrote:

> Actually, util-linux is distributed by the Linux Kernel Organization
> (i.e. the folks at kernel.org). So, yes, Debian has to match what Red
> Hat does inasmuch as Red Hat uses a Linux kernel and so does
> Debian. It just makes sense to use the kernel-provided kernel
> utilities.
>
> As an aside, I don't know what the situation is with the *BSD
> Debians. They presumably don't use util-linux, so I *guess* they're
> still using su from src:shadow?

No, kfreebsd and hurd also use util-linux and its su implementation.
While not all programs in the util-linux suite work on non-Linux
architectures, many of them do.

https://sources.debian.org/src/util-linux/2.32.1-0.1/debian/util-linux.install/

Cheers,
   Sven

Re: New su behavior in util-linux 2.32

2018-08-13 Thread Darac Marjal 

On Mon, Aug 13, 2018 at 08:43:12AM -0400, Greg Wooledge wrote:

On Sat, Aug 11, 2018 at 11:41:34AM +0200, Pétùr wrote:

The new 'su' is useless for me because it cannot launch root program.
I did the modification in /etc/login.defs and restore the previous
behavior. However I am concern with the statement " Doing plain 'su'
is a really bad idea for many reasons".

Could someone explain to me why this is a bad behavior?


It's not what Red Hat does, and therefore "oh, we have to change to
match what Red Hat does".


Actually, util-linux is distributed by the Linux Kernel Organization 
(i.e. the folks at kernel.org). So, yes, Debian has to match what Red 
Hat does inasmuch as Red Hat uses a Linux kernel and so does Debian. It 
just makes sense to use the kernel-provided kernel utilities.


As an aside, I don't know what the situation is with the *BSD Debians. 
They presumably don't use util-linux, so I *guess* they're still using 
su from src:shadow?




Never mind the fact that it's a completely stupid, intrusive, pointless
change that breaks the behavior that has been working properly in Debian
for decades.  Who cares about things working properly, or backward
compatiblity, or common sense?  GOTTA MATCH RED HAT!


Change should be acceptable IF there is a good reason for it. I'll 
agree, though, that it's not really been well-communicated how "su -" is 
better than "su" and why, apparently, the meaning of the two have been 
swapped over. But if the point is to make things more secure, then 
that's a perfectly acceptable reason for breakage.




Users will be confused?  SCREW 'EM!  GOTTA MATCH RED HAT!

Scripts will break?  SCREW 'EM!  GOTTA MATCH FUCKING RED HAT!

The only reason anyone would think that "plain su is bad" is because
they had to work with Red Hat systems (or perhaps certain BSD-based
systems) where plain su behaves the way testing's su behaves, and
they got used to it.




--
For more information, please reread.


signature.asc
Description: PGP signature

Re: New su behavior in util-linux 2.32

2018-08-13 Thread Greg Wooledge 
On Sat, Aug 11, 2018 at 11:41:34AM +0200, Pétùr wrote:
> The new 'su' is useless for me because it cannot launch root program.
> I did the modification in /etc/login.defs and restore the previous
> behavior. However I am concern with the statement " Doing plain 'su'
> is a really bad idea for many reasons".
> 
> Could someone explain to me why this is a bad behavior?

It's not what Red Hat does, and therefore "oh, we have to change to
match what Red Hat does".

Never mind the fact that it's a completely stupid, intrusive, pointless
change that breaks the behavior that has been working properly in Debian
for decades.  Who cares about things working properly, or backward
compatiblity, or common sense?  GOTTA MATCH RED HAT!

Users will be confused?  SCREW 'EM!  GOTTA MATCH RED HAT!

Scripts will break?  SCREW 'EM!  GOTTA MATCH FUCKING RED HAT!

The only reason anyone would think that "plain su is bad" is because
they had to work with Red Hat systems (or perhaps certain BSD-based
systems) where plain su behaves the way testing's su behaves, and
they got used to it.

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Dale Forsyth 
https://www.mycause.com.au/page/183259/a-smile-will-change-a-day-love-that-changed-my-world

From: Pétùr 
Sent: Saturday, 11 August 2018 7:41 PM
To: debian-user
Subject: New su behavior in util-linux 2.32

Using 'su' generates now an path error when launching programs such as 
'shutdown'. The cause is a new behavior described below.
---
util-linux (2.32-0.4) unstable; urgency=medium

  The util-linux implementation of /bin/su is now used, replacing the
  one previously supplied by src:shadow (shipped in login package), and
  bringing Debian in line with other modern distributions. The two
  implementations are very similar but have some minor differences (and
  there might be more that was not yet noticed ofcourse), e.g.

  - new 'su' (with no args, i.e. when preserving the environment) also
preserves PATH and IFS, while old su would always reset PATH and IFS
even in 'preserve environment' mode.
  - su '' (empty user string) used to give root, but now returns an error.
  - previously su only had one pam config, but now 'su -' is configured
separately in /etc/pam.d/su-l

  The first difference is probably the most user visible one. Doing
  plain 'su' is a really bad idea for many reasons, so using 'su -' is
  strongly recommended to always get a newly set up environment similar
  to a normal login. If you want to restore behaviour more similar to
  the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs.
---

The new 'su' is useless for me because it cannot launch root program.
I did the modification in /etc/login.defs and restore the previous
behavior. However I am concern with the statement " Doing plain 'su'
is a really bad idea for many reasons".

Could someone explain to me why this is a bad behavior?

Pétùr

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Curt 
On 2018-08-11, Pétùr  wrote:
> Le 11/08/2018 à 16:03, Curt a écrit :
>> There was a lengthy discussion, but within it I don't remember anyone
>> detailing the numerous reasons (or any reason at all) executing plain
>> 'su' is a "really bad idea," (where I'm reading "really bad idea" to
>> mean having unintended and very detrimental consequences to the
>> hapless user).
>
> Sorry I missed the discussion (it was during my vacation). I read it
> quickly and, indeed, there is no proper explanation why old "su" is
> dangerous to use or a bad idea.
>
>

No one said the old su was dangerous or a bad idea. The new su came about
because "all other distributions are using the implementations from
util-linux."

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=833256

What was said here (in the NEWS or NOTES or some official document
quoted in this thread) was that executing "su" without any arguments
rather than "su -" was a very bad idea (so that those bitten by the fact
the new, improved su doesn't reset the PATH are kind of getting what
they deserve anyway for being ignorant).

-- 
"She was a blank wall, fresh painted." 
Louise Erdrich, Love Medicine

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Pétùr 
Le 11/08/2018 à 13:42, Nicolas George a écrit :
> Pétùr (2018-08-11):
>> The new 'su' is useless for me because it cannot launch root program.
> Maybe learn how to use $PATH?

If I modify $PATH for the new "su", I basically re-implement the old
behavior of "su". This is exactly what adding 'ALWAYS_SET_PATH yes' in
/etc/login.defs does (and I did that).

My question was not to modify new "su" but why old "su" is bad practice.

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Pétùr 
Le 11/08/2018 à 16:03, Curt a écrit :
> There was a lengthy discussion, but within it I don't remember anyone
> detailing the numerous reasons (or any reason at all) executing plain
> 'su' is a "really bad idea," (where I'm reading "really bad idea" to
> mean having unintended and very detrimental consequences to the
> hapless user).

Sorry I missed the discussion (it was during my vacation). I read it
quickly and, indeed, there is no proper explanation why old "su" is
dangerous to use or a bad idea.

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Samuel Henrique 
>
> There was a lengthy discussion, but within it I don't remember anyone
> detailing the numerous reasons (or any reason at all) executing plain
> 'su' is a "really bad idea," (where I'm reading "really bad idea" to
> mean having unintended and very detrimental consequences to the
> hapless user).
>

I think i missed that discussion, will catch that later.

I would like to suggest that instead of showing only "Doing plain 'su' is a
really bad idea for many reasons" on the NEWS file, one should add some
external reference on why it is a bad idea, because most probably the user
using only "su" is not aware of why it's bad and is left empty handed on
the reasons (obviously they can search online, but that doesn't mean we
can't show the reasoning behind that on NEWS).

I'd really like if Stretch users also received an external URL for
reference or a proper explanation on why this is bad during the
Stretch->Buster upgrade.

There was a lengthy discussion, but within it I don't remember anyone
> detailing the numerous reasons (or any reason at all) executing plain
> 'su' is a "really bad idea," (where I'm reading "really bad idea" to
> mean having unintended and very detrimental consequences to the
> hapless user).


I don't think it's a good idea to expect users to search for that
discussion when they see the NEWS file, we should assume that at the least
they will continue to try using "su" and fallback to "su -" when something
goes wrong, without ever looking for the reasons (and that is what is
actually happening with Brazilian users right now).

-- 
Samuel Henrique

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Curt 
On 2018-08-11, Stefan Krusche  wrote:
>>
>>   The first difference is probably the most user visible one. Doing
>>   plain 'su' is a really bad idea for many reasons, so using 'su -' is
>>   strongly recommended to always get a newly set up environment similar
>>   to a normal login. If you want to restore behaviour more similar to
>>   the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs.
>> ---
>>
>> The new 'su' is useless for me because it cannot launch root program.
>> I did the modification in /etc/login.defs and restore the previous
>> behavior. However I am concern with the statement " Doing plain 'su'
>> is a really bad idea for many reasons".
>>
>> Could someone explain to me why this is a bad behavior?
>>
>> Pétùr
>
> Hello Pétùr,
>
> only recently until a couple days ago there was a lengthy discussion about 
> just 
> that. Have you missed that? Have a look in the archives for a subject line 
> like 
> this: "use of su vs sudo" ...

There was a lengthy discussion, but within it I don't remember anyone
detailing the numerous reasons (or any reason at all) executing plain
'su' is a "really bad idea," (where I'm reading "really bad idea" to
mean having unintended and very detrimental consequences to the
hapless user).


> Kind regards,
> Stefan
>
>


-- 
"She was a blank wall, fresh painted." 
Louise Erdrich, Love Medicine

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Nicolas George 
Pétùr (2018-08-11):
> The new 'su' is useless for me because it cannot launch root program.

Maybe learn how to use $PATH?

Regards,

-- 
  Nicolas George


signature.asc
Description: Digital signature

Re: New su behavior in util-linux 2.32

2018-08-11 Thread Stefan Krusche 
Am Samstag 11 August 2018 schrieb Pétùr:
> Using 'su' generates now an path error when launching programs such as
> 'shutdown'. The cause is a new behavior described below. ---
> util-linux (2.32-0.4) unstable; urgency=medium
>
>   The util-linux implementation of /bin/su is now used, replacing the
>   one previously supplied by src:shadow (shipped in login package), and
>   bringing Debian in line with other modern distributions. The two
>   implementations are very similar but have some minor differences (and
>   there might be more that was not yet noticed ofcourse), e.g.
>
>   - new 'su' (with no args, i.e. when preserving the environment) also
> preserves PATH and IFS, while old su would always reset PATH and IFS
> even in 'preserve environment' mode.
>   - su '' (empty user string) used to give root, but now returns an error.
>   - previously su only had one pam config, but now 'su -' is configured
> separately in /etc/pam.d/su-l
>
>   The first difference is probably the most user visible one. Doing
>   plain 'su' is a really bad idea for many reasons, so using 'su -' is
>   strongly recommended to always get a newly set up environment similar
>   to a normal login. If you want to restore behaviour more similar to
>   the previous one you can add 'ALWAYS_SET_PATH yes' in /etc/login.defs.
> ---
>
> The new 'su' is useless for me because it cannot launch root program.
> I did the modification in /etc/login.defs and restore the previous
> behavior. However I am concern with the statement " Doing plain 'su'
> is a really bad idea for many reasons".
>
> Could someone explain to me why this is a bad behavior?
>
> Pétùr

Hello Pétùr,

only recently until a couple days ago there was a lengthy discussion about just 
that. Have you missed that? Have a look in the archives for a subject line like 
this: "use of su vs sudo" ...

Kind regards,
Stefan