Control: tags -1 + moreinfo Hello Kapil Hari Paranjape,
Thanks for your bug report. (Reply inline below.) On Wed, Aug 08, 2018 at 05:36:31PM +0530, Kapil Hari Paranjape wrote: > Package: util-linux > Version: 2.32-0.4 > Severity: normal > > Dear Maintainer, > > Running "su -" or "su -l" or "su --login" makes use of /etc/pam.d/su-l > which revokes *all* keys in the session keyring. > > This can be unexpected in situations where the key is utilised by the > invoking user (for example, to access an encrypted file system as > happened in my case; see https://github.com/dnschneid/crouton/issues/3860). > > Hence, at the very least it needs to be documented. There where absolutely zero replies to my call for help with reviewing the pam configuration in: https://lists.debian.org/debian-devel/2018/06/msg00048.html I'm thus not very sympathetic towards comments about how things could be better. > > It is indeed unfortunate that a single command "su" is used in a large > number of different ways and contexts in scripts across diverse systems > *without* consideration of the semantics. However, any such change is > bound to cause breakage and documentation is the best way to avoid > flames! Please do feel free to write something up and send it as a merge request! Your contribution will be very appreciated! I'll offer to review them once I find time for it. I'm however not sure that changes to the util-linux is the best place to document generic sysadmin best practises. As discussed elsewhere it's probably better to contribute a chapter to "debian handbook" or similar documents. Please note that IMO users are always better off by using sudo instead of su. I'm tagging this bug report with 'moreinfo' as in my view you're asking for documenting the new su-l pam configuration, which is already described in util-linux.NEWS in the version you reported this bug against. I thus don't see what remains to be done to close it. Regards, Andreas Henriksson
