topic Re: SHLIB_PATH and su in Operating System - HP-UX

SHLIB_PATH and su

DELAIRE_1 — Thu, 23 Apr 2009 12:09:38 GMT

Hello,

I have a problem with my environnement variable : SHLIB_PATH.

I have initialize it in /etc/profile :

SHLIB_PATH=/usr/lib ....
export SHLIB_PATH

When i'm connect with one user it's ok :

echo $SHLIB_PATH
SHLIB_PATH=/usr/lib

But, if i use "su" like this way :

su toto

(witout the "-")

My environnement variable SHLIB_PATH disappear... And only SHLIB_PATH. I had try with an other and it's ok ...

I don't understand.

Can you help me, please ?

(Sorry for my english, i'm french ...)

Thanks.

Re: SHLIB_PATH and su

Pete Randall — Thu, 23 Apr 2009 12:19:53 GMT

Looking at the su man page, we see that "su executes a new shell with the real and effective user ID, real and effective group ID, and group access list set to that of the specified user. The new shell is the one specified in the shell field of the new user's entry in the password file, /etc/passwd."

If you use the minus sign ("-"), "the new shell starts up as if the new user had initiated a new login session" and the environment is set accordingly. Without the minus sign, this does not happen - you just start a new shell without setting any special environment.

Pete

Re: SHLIB_PATH and su

Steven E. Protter — Thu, 23 Apr 2009 12:21:51 GMT

Shalom,

su without the - just changes the user and gives you the new users power. It does not load the environment of the new user and does not null value in SHLIB_PATH.

su - username

Loads the new users environment which clearly does not have settings for SHLIB_PATH

As Pete points out its all in the man page which states it better than I can.

SEP

Re: SHLIB_PATH and su

James R. Ferguson — Thu, 23 Apr 2009 12:21:52 GMT

Hi:

Your English is fine!

You need to specify 'SU_KEEP_ENV_VARS=SHLIB_PATH' in '/etc/security/default'. If you do not have the file, simply create it. See the manpages for details:

http://docs.hp.com/en/B3921-60631/security.4.html

Regards!

...JRF...

Re: SHLIB_PATH and su

Duncan Edmonstone — Thu, 23 Apr 2009 12:25:07 GMT

This is done for security purposes to ensure you don't end up looading dodgy shared libraries - you have to explicityly set it again. This is described in the man page for su. Your choices for getting around this are:

i) Just set SHLIB_PATH again after you su, or:

ii) Make a global change to the system to not behave like this. To do this edit or create the file /etc/default/security and add the line:

SU_KEEP_ENV_VARS=SHLIB_PATH

But be aware this is changed for the whole system, so if you have security standards and/or a security team you might want to consider if its the right thing to do.

You can read more about this in the man page security(4) :

man 4 security

HTH

Duncan

Re: SHLIB_PATH and su

DELAIRE_1 — Thu, 23 Apr 2009 12:30:05 GMT

Thanks for your answers !

It works with the file /etc/default/security (and not /etc/security/default, but it's written in the man page that you give)

Thanks for your help !

:-)