[sudo-users] RE: SUDOSCRIPT V2.1.2 's New Switch "-" Issue ????

Howard Owen hbo at egbok.com
Fri Mar 11 02:02:18 EST 2005

(CC to sudo-users. This is correspondence with a sudoscript user on
HP-UX. He's run into problems using the '-' switch in sudoshell. It
works like 'su -' when the shell is bash. Apparently, it doesn't work
with ksh. The CC is to harness collective wisdom on how (or if) this
might be overcome.)


HP-UX is supported because a user was interested enough to do the port.
Of course shells other than bash are supported. But this latest feature
doesn't seem to work in ksh. It only works in bash because I stumbled
across the behavior I described, when $HOME is set to some other
directory, and you crack a new shell, bash looks for startup files
there.  Apparently ksh doesn't. I know of no other way to get this
behavior, since sudoscript is actually running sudo, which in turn runs
script to invoke the shell. Before I added the feature in 2.1.2, the
documented behavior was (and still is, in fact) found in the SUDOCONFIG
"User Environment
Sudoscript uses the script(1) command to log activity in the
shell. This means that the shell is actually executed by script(1),
not sudoshell or sudo.  There is therefore no way to get an effect
such as that produced by "su - oracle". That is, the shell will have
the user's original environment, and not that of the oracle user."

When I get a chance, I'll look at ksh on Solaris and Linux to see if it
indeed behaves as you indicate. If it does, I'm afraid there's not much
I can do to change it. It's an architectural drawback of gluing seperate
tools together to make something new. While that is in the best Unix
tradition, and has advantages, (such as leveraging well debugged and
widely ported applications like sudo(1) and script(1) instead of
reinventing the wheel, new bugs and all,) It also leaves you with less
control than if you were doing all the work yourself in a unified app.

Along those lines, there is a new tool called "sudosh" by Doug Hanks.
He's replaced the script(1) portion with his own C code. This allows for
better logging among other things. It could mean that he could provide
the feature you are looking for more easily that could sudoscript, if he
hasn't in fact already done so:

For the record, I think there is room for both sudoscript and sudosh.
The two architectures both have advantages and drawbacks, some of which
I've outlined above.


On Fri, 2005-03-11 at 14:05 +0800, eric.mui at oocl.com wrote:
> Hi Howard,
> Many Thanks for prompt reply.
> I 've tried
> 	/opt/sudoscript/bin/ss -u oracle -
> but seems still does not load <HOME>/.profile even if I've changed
> directory to the <HOME> before executing ss.
> Do you mean the tested supporting shell is bash only for V212 but all
> along sudoscript does support Solaris and HP which don't have bash ?? I
> wonder ?
> Where else can I get help I suppose should there be quite numbers of
> sudoscript end-users who 're using HP or Solaris platforms, right ?
> Many thanks!!!!
> -----Original Message-----
> From: Howard Owen [mailto:hbo at egbok.com] 
> Sent: Friday, March 11, 2005 12:38 PM
> Subject: Re: SUDOSCRIPT V2.1.2 's New Switch "-" Issue ????
> I don't have an HP-UX environment in which to test, so I'm not
> completely sure what the trouble is. I can think of two possibilities.
> First, as I say in the RELEASENOTES file:
> New Option to sudoshell
> =======================
> The"-" option has been added to ss/sudoshell. This sets the $HOME
> environment variable to that of the user ss will become. This causes the
> shall (bash, at least) to load the target user's environment instead of
> the calling user's.
> The notation "bash, at least" means that it may not work the same way
> with ksh. The trick I use is to set the $HOME environment variable to
> the home directory of the user ss will become. With bash, this causes
> the new shell to source the new user's .profile or .bash_profile. It's
> quite possible that ksh doesn't behave this way.
> The other (faint) possibility is that the order of the parameters in the
> sudoers file may matter. In ss, I place the dash at the end of the
> command string if I have to reexec myself. You have it before the -u. It
> might work if you change the command to read, following your example,
> oracle		/opt/sudoscript/bin/ss -u oracle -
> I don't hold out a lot of hope for this, but it might help.
> Good luck, and let me know what you find.
> On Fri, 2005-03-11 at 09:31 +0800, eric.mui at oocl.com wrote:
> > Hi Howard,
> > 
> >         I 've tried to use the new switch "-" on the Sudoscript V2.1.2
> >         but I still find the ss or sudoshell logon session still do
> >         not obtain the user shell environment variables just as it
> >         happens on the previoius version V.2.1.1. for some reason ??
> >         
> >         For example, the $PATH and LD_LIBRARY_PATH still has been
> >         reset to minimal after ss or sudoshell to a userid. 
> >                 
> >               * Is my syntax correct as shown below ??
> >               * Any other advise on the possiblities where I've gone
> >                 wrong ??
> >                 
> >                 
> >                 
> >                 <$SUDO_BIN>/bin/sudo -u <$SU_ID>  <
> >                 $SUDOSHELL_BIN>/bin/ss - -u <$SU_ID>
> >                 
> >                 E.g.  /opt/sudo/bin/sudo -u
> >                 oracle      /opt/sudoscript/bin/ss  -  -u  oracle
> >                 
> >         
> >         The Platforms and Versions I 'm testing on :-
> >                 
> >               * HP-UX 11i
> >               * Sudo V168p4
> >               * Sudoscript V2.1.2
> >               * ksh, sh
> >                 
> > 
> > Very appreciate if you could give me some help. Many Thanks in advance
> > !!!!
> > 
> > 
> > Email from OOCL is confidential and may be legally privileged. If it 
> > is not intended for you, please delete it immediately unread. The 
> > internet cannot guarantee that this communication is free of viruses, 
> > interception or interference and anyone who communicates with us by 
> > email is taken to accept the risks in so doing. Without limitation, 
> > OOCL and its affiliates accept no liability whatsoever and howsoever 
> > arising in connection with the use of this email. Under no 
> > circumstances shall this email constitute a binding agreement to carry
> > or for provision of carriage services by OOCL, which is subject to the
> > availability of carrier's equipment and vessels and the terms and 
> > conditions of OOCL's standard bill of lading which is also available 
> > at http://www.oocl.com.
Howard Owen       RHCE, BMOC, GP "Even if you are on the right
EGBOK Consultants Linux Architect track, you'll get run over if you
hbo at egbok.com     +1-650-218-2216 just sit there." - Will Rogers

More information about the sudo-users mailing list