Zsh Mailing List Archive
Messages sorted by: Reverse Date, Date, Thread, Author

Re: Zsh configuration files

On Tue, Nov 25, 2008 at 1:32 PM, Peter Stephenson wrote:
> On Tue, 25 Nov 2008 12:10:43 -0500
> "Allan Caffee" wrote:
>> > 2. For running as root, I can just link my normal-user .zshrc and .zshenv
>> > files, and it'll detect that they're linked, and use the .zsh_* files from
>> > my normal-user directory
>> That sounds really dangerous.  You're offering a hook for someone to
>> execute arbitrary code as root.  If someone breaks your user account
>> they could for example add a file in your home directory that resets
>> the root password or does some other really mean things.  If you want
>> root to have the same setup as your regular user you should put it
>> somewhere that only root can write.
> It's probably worth pointing out that if you use sudo, as many people do
> (it's the normal method of accessing root in a lot of places), then it will
> usually execute your own start up files: the shell starts up essentially as
> for the user, except with UID 0.  Furthermore, the password for accessing
> root in this case is the same as the user's own.  So it seems a lot of
> people aren't too worried about this aspect.  They probably tend not to be
> sites accesible by the general public.

"sudo", by default, doesn't start a root shell, and therefore doesn't
run shell rc's by default.  You can force it to, of course, with
something like "sudo -s", but that's not the right way to get a root
shell using sudo; you should instead use 'sudo -i' - which changes
$HOME and runs the shell specified for the user being switched to in
/etc/passwd...  And there's no loss of security from allowing users to
change to the root account with their own password; though of course
sudo can be configured to use the root password instead of the user


Messages sorted by: Reverse Date, Date, Thread, Author