[sudo-users] executing with different user environment

Todd C. Miller Todd.Miller at courtesan.com
Fri Mar 15 14:20:10 MDT 2013

On Fri, 15 Mar 2013 12:42:13 -0400, Matt Williams wrote:

> I would like to allow all members in the %devops group to execute certain
> knife commands as the chef user. I've dropped a sudo file in the
> /etc/sudoers.d/chef that contains the following:
> Defaults:%devops env_reset
> %devops ALL=(chef) NOPASSWD:/usr/bin/knife

It looks like that should work.  I did a quick test with sudo 1.7.2p1
and as long as I use the -H flag $HOME gets set appropriately.

> Then, as a user that is a member of the devops group, I get this:
> $ sudo -H -u chef knife node list
> WARNING: No knife configuration file found
> Note that knife will look in $HOME/.chef/knife.rb before looking in
> /etc/chef so it needs to be hitting /home/chef/.chef/knife.rb. I then
> execute this as a sanity check:
> $ sudo -H -u chef echo $HOME  #my user is also a member of %sysadmin group,
> which has ALL=(ALL)
> /home/mattw

$HOME may be expanded by your shell before sudo is run.  A better
test would be:

$ sudo -H -u chef printenv HOME

 - todd

More information about the sudo-users mailing list