[sudo-users] Sudo version 1.7.2

Todd C. Miller Todd.Miller at courtesan.com
Thu Aug 13 09:16:09 EDT 2009

In message <D482C0D418DC0743907990087D6A06E9044393C3 at EDCWMSGP002CZ.bcbsfl.com>
	so spake "Morgan, Pat" (Pat.Morgan):

> Does anyone have experience using the -i with this new version of sudo.
> It seems the only way for me to source the users .profile is to have
> /usr/bin/ksh in the /etc/sudoers file for the command.  I obviously do
> not want to add /usr/bin/ksh among the commands to run as a particular
> user because I could easily become that user by typing "sudo -u username
> /usr/bin/ksh" and then run whatever I want.  I have noticed that when I
> add /usr/bin/ksh to the sudoers file that what it effectively does is to
> do an "su - username -c command" 

Yes, the only way to run a command and to have user's .profile etc.
sourced is to run the command through a login shell, which is
what "sudo -i command" does.

You can still give users explicit access to a command this way.

todd ALL=operator /usr/bin/ksh -c dump

would all user todd to run "sudo -i dump".  Note that in this case
it is the shell and not sudo that will search the path for the dump
command.  Since this is a login shell, the PATH used will be what
the .profile sets.

 - todd

More information about the sudo-users mailing list