[sudo-users] documentation clarification
Terry Inzauro
terry at remote-shell.org
Mon Sep 14 17:08:45 MDT 2015
Recently, I discovered a behavior that I don't understand. When
allowing a user to run a command as root (with with the -i switch), I
noticed that roots shell must also be listed in the sudo command
definition.
Command:
sudo -i /path/to/somecommand somearg
/etc/sudoers configuration:
Defaults:APP_USERS requiretty,!lecture
Host_Alias APP_HOSTS = *
User_Alias APP_USERS = foouser, baruser
#DOESN'T WORK
Cmnd_Alias APP_BIN = /path/to/somecommand somearg
# WORKS
cmnd_Alias APP_BIN = /path/to/somecommand somearg, /bin/bash
APP_USERS APP_HOSTS = (root) APP_BIN
Log:
#DOESN'T WORK
Sep 14 22:35:47 2015 : foouser : HOST=somehost : command not allowed ;
TTY=pts/1 ; PWD=/home/foouser ; USER=root ; COMMAND=/bin/bash -c
/path/to/somecommand somearg
#WORKS
Sep 14 22:34:59 2015 : foouser : HOST=somehost : TTY=pts/1 ;
PWD=/home/foouser ; USER=root ; TSID=000008 ; COMMAND=/bin/bash -c
/path/to/somecommand somearg
Sudo version 1.8.6p7
Configure options: --build=x86_64-redhat-linux-gnu
--host=x86_64-redhat-linux-gnu --program-prefix=
--disable-dependency-tracking --prefix=/usr --exec-prefix=/usr
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64
--libexecdir=/usr/libexec --localstatedir=/var
--sharedstatedir=/var/lib --mandir=/usr/share/man
--infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin
--libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7
--with-logging=syslog --with-logfac=authpriv --with-pam
--with-pam-login --with-editor=/bin/vi --with-env-editor
--with-ignore-dot --with-tty-tickets --with-ldap
--with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux
--with-passprompt=[sudo] password for %p: --with-linux-audit
--with-sssd
Sudoers policy plugin version 1.8.6p7
Sudoers file grammar version 42
Is it possible to allow a user to run a command as root with roots
environment, whithout adding the shell to the command definition?
Note:
Based on the documentation for sudo -i, I did not expect this behavior.
kind regards,
Terry
More information about the sudo-users
mailing list