[sudo-users] RE: SUDOSCRIPT V2.1.2 's New Switch "-" Issue ????

Bob Proulx bob at proulx.com
Fri Mar 11 11:29:03 EST 2005 

Howard Owen wrote:
> When I get a chance, I'll look at ksh on Solaris and Linux to see if it

Note that on most GNU/Linux systems /bin/ksh is not the AT&T ksh but
is instead pdksh, public domain ksh, a clone.  It has improved
significantly in recent years.  But is a different source tree and
really should be considered a different shell entirely from AT&T ksh
for purposes of looking at compatibility.

> > New Option to sudoshell
> > =======================
> > The"-" option has been added to ss/sudoshell. This sets the $HOME
> > environment variable to that of the user ss will become. This causes the
> > shall (bash, at least) to load the target user's environment instead of
> > the calling user's.
> >
> > The notation "bash, at least" means that it may not work the same way
> > with ksh. The trick I use is to set the $HOME environment variable to
> > the home directory of the user ss will become. With bash, this causes
> > the new shell to source the new user's .profile or .bash_profile. It's
> > quite possible that ksh doesn't behave this way.

The important point that I did not see explicitly made there is that a
shell that looks at its own name (by looking at argv[0]) and finds
that it starts with a "-" (such as -sh, or -ksh, or -bash) will
consider itself a login shell.  As a login shell it will source login
environment configuration files such as .bash_profile, .profile, etc.

> > The other (faint) possibility is that the order of the parameters in the
> > sudoers file may matter. In ss, I place the dash at the end of the
> > command string if I have to reexec myself. You have it before the -u. It
> > might work if you change the command to read, following your example,

I am not a sudoshell user and can't really comment further.  But if
the end shell is launched with a leading dash then the login
environment should be loaded.  It should be possible to see this in a
'ps -ef' listing which shows the full command line.  You should see
the leading dash there.  Here is an example of a login shell.

  bob       3051  3038  0 Mar02 pts/0    00:00:00 -bash

> > >         For example, the $PATH and LD_LIBRARY_PATH still has been
> > >         reset to minimal after ss or sudoshell to a userid. 

HP-UX does not use LD_LIBRARY_PATH.  HP-UX uses SHLIB_PATH.  But it is
only in effect if the executable binary has been chatr'd to enable
"shared library dynamic path search".

Also note that ksh has the following related behavior.

                -p      Disables processing of the $HOME/.profile
                        file and uses the file /etc/suid_profile
                        instead of the ENV file.  This mode is on
                        whenever the effective uid (gid) is not
                        equal to the real uid (gid). Turning this
                        off causes the effective uid and gid to be
                        set to the real uid and gid.

Bob

More information about the sudo-users mailing list