Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > linux.debian.bugs.dist > #1289340

Bug#1133379: [su] Enforced parameter order, breaking scripts

From Christoph Biedl <debian.axhn@manchmal.in-ulm.de>
Newsgroups linux.debian.bugs.dist
Subject Bug#1133379: [su] Enforced parameter order, breaking scripts
Date 2026-04-12 18:50 +0200
Message-ID <MJ6au-eCRE-11@gated-at.bofh.it> (permalink)
Organization linux.* mail to news gateway

Show all headers | View raw

[Multipart message — attachments visible in raw view] - view raw

Package: util-linux
Version: 2.42-3
Severity: important
# Consider raising severity
X-Debbugs-Cc: debian.axhn@manchmal.in-ulm.de

Hello,

the documented command line parameter order of the su program has been,
possibly since forever:

    su [options] [-] [user [argument...]]

or as an example:

    # su --shell /bin/bash --command date nobody

However, it has been possible for ages to bring the user name first,
as in that example

    # su nobody --shell /bin/bash --command date

This changed somewhere between 2.41.3-4 (testing) and 2.42-3 (unstable),
very likely upstream commit ac0147fd1 ("su: pass arguments after <user>
to shell"). Now the above command now yields an error message from the
applicable shell, hence not very helpful:

    nologin: unrecognized option '--shell'

as su now passes everything after the user name to the shell. If you
want to check for yourself:

    strace -f su nobody --shell /bin/bash --command date |& fgrep exec

Previously, working:

    execve("/bin/bash", ["bash", "-c", "date"], 0x55660e7a6d40 /* 23 vars */) = 0

Now, broken:

    execve("/usr/sbin/nologin", ["nologin", "--shell", "/bin/bash", "--command", "date"], 0x55829405ad40 /* 28 vars */) = 0


While that change seems prudent in terms of clarity (Are these
parameters to su or to the command being run?), I'd expect lot of
breakage as the order of "user name first" has been in many people's
muscle memory for years.

It's not easy to find all uses cases, but treating codesearch with

    (regexp) [^a-z0-9_-]su [^-].*-[a-z] path:debian/

and some sifting showed several examples that will likely fail, not
always obviously. Two of them:

    nncp_8.12.1-3/debian/examples/cron-daily-nncp:4
    for TYPE in part seen hdr area; do
            su nncp -s /bin/bash -c "nncp-rm -quiet -all -older 7d -$TYPE"
    done


    nvi_1.81.6-24/debian/patches/30make_recover_script_init_ready.patch:61

    +                        sessions_found="yes"
    +                        owner=`stat --format='%U' $recfile`
    +                        (su nobody -s /bin/sh -c "$SENDMAIL $owner" < $i &) </dev/null >/dev/null 2>&0
    +                else
    +                        rm $i

Please catch this gracefully. And while it seems wise to make this
change permanent, this will leave you with the task of alerting all
affected package maintainers (read: MBF).

Personally, I'd try to revert that change for the time being and emit a
grim warning so users can learn about this and adjust. And/or catch the
old usage with some heuristics (first argument is a user name, second a
parameter su understands), and emit a more helpful warning/error message
than the one above. And of course, place this prominentely in the forky
release notes. But that's not me to decide.

    Christoph

-- System Information:
Debian Release: forky/sid
  APT prefers unstable
  APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)

Kernel: Linux 6.12.80 (SMP w/8 CPU threads)
Kernel taint flags: TAINT_WARN
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages util-linux depends on:
ii  libblkid1       2.42-3
ii  libc6           2.42-14
ii  libcap-ng0      0.9.2-1
ii  libcrypt1       1:4.5.1-1+b1
ii  libmount1       2.42-3
ii  libpam-modules  1.7.0-5+b1
ii  libpam-runtime  1.7.0-5
ii  libpam0g        1.7.0-5+b1
ii  libselinux1     3.10-1
ii  libsmartcols1   2.42-3
ii  libsystemd0     260.1-1+jj1+deb99
ii  libtinfo6       6.6+20251231-1
ii  libudev1        260.1-1+jj1+deb99
ii  libuuid1        2.42-3

Versions of packages util-linux recommends:
ii  sensible-utils  0.0.26

Versions of packages util-linux suggests:
pn  dosfstools          <none>
ii  kbd                 2.9.0-1
ii  util-linux-extra    2.42-3
pn  util-linux-locales  <none>
pn  wtmpdb              <none>

-- no debconf information

Back to linux.debian.bugs.dist | Previous | Next | Find similar | Unroll thread

Thread

Bug#1133379: [su] Enforced parameter order, breaking scripts Christoph Biedl <debian.axhn@manchmal.in-ulm.de> - 2026-04-12 18:50 +0200

csiph-web