Should "su" change the USER environment variable?

Spencer W. Thomas thomas at utah-gr.UUCP
Wed Nov 2 08:03:47 AEST 1983


Re: using "login" to gain permissions.

This is a very bad idea.  We have for a long time had login mode 500,
owned by root.  It is very easy for someone to push a shell, login as,
say, "who" (most systems seem to have a who login), then exit the shell,
leaving the user entry in /etc/utmp as "who".  Thus, all his connect
time gets charged to overhead (assuming you are doing accounting, of
course), and in any case, you can't tell what person is REALLY logged in
there.

=Spencer



More information about the Comp.unix.wizards mailing list