[sudo-users] Sudo version 1.7.2
Todd C. Miller
Todd.Miller at courtesan.com
Thu Aug 13 09:16:09 EDT 2009
In message <D482C0D418DC0743907990087D6A06E9044393C3 at EDCWMSGP002CZ.bcbsfl.com>
so spake "Morgan, Pat" (Pat.Morgan):
> Does anyone have experience using the -i with this new version of sudo.
> It seems the only way for me to source the users .profile is to have
> /usr/bin/ksh in the /etc/sudoers file for the command. I obviously do
> not want to add /usr/bin/ksh among the commands to run as a particular
> user because I could easily become that user by typing "sudo -u username
> /usr/bin/ksh" and then run whatever I want. I have noticed that when I
> add /usr/bin/ksh to the sudoers file that what it effectively does is to
> do an "su - username -c command"
Yes, the only way to run a command and to have user's .profile etc.
sourced is to run the command through a login shell, which is
what "sudo -i command" does.
You can still give users explicit access to a command this way.
todd ALL=operator /usr/bin/ksh -c dump
would all user todd to run "sudo -i dump". Note that in this case
it is the shell and not sudo that will search the path for the dump
command. Since this is a login shell, the PATH used will be what
the .profile sets.
More information about the sudo-users