[sudo-users] sudo -u & environment help
Craig R. Skinner
skinner at britvault.co.uk
Mon May 19 14:45:03 MDT 2014
Hi sudoers,
$ sudo -V
Sudo version 1.7.2p8
$ uname -a
OpenBSD teak.britvault.co.uk 5.4 GENERIC#37 i386
sudo -Hiu <user> not setting $PATH, $MAIL & umask:
http://thread.gmane.org/gmane.os.openbsd.misc/211823/
Comments?
Craig.
----- Forwarded message -----
To clarify, there are no ~/. shell dot files.
$PATH & umask are set in /etc/login.conf
$MAIL is the default set by login(1)
/etc/profile sources /etc/ksh.kshrc, which just sets $PS1,
window decor & some aliases, nothing major.
This arrangement works fine when logging in directly,
or via "sudo su -l user"
>From my reading of sudo(8), I thought the same environment could be
gained with something like "sudo -H -i -u username".
Am I missing sudo flags or settings in /etc/sudoers?
On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote:
> Hi,
>
> When sudo'ing to another user, how can I obtain all of their environment
> settings as they receive when logging in themselves?
>
> When I use sudo in this manner, settings such as $PATH, $MAIL & umask
> aren't being honoured:
>
>
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> craig
> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin
> /var/mail/craig
> 027
>
>
>
> Here, $PATH, $MAIL & umask are unchanged:
>
> $ sudo -H -i -u david
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> david
> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin
> /var/mail/craig
> 027
>
>
> Compare the difference when logging in as that user:
>
> $ login david
> ...
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> david
> /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin
> /var/mail/david
> 022
>
>
>
>
> /etc/login.conf:
> default:\
> :passwordcheck=/usr/local/bin/pwqcheck -1:\
> :passwordtries=0:\
> :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\
> :umask=022:\
> :datasize-cur=....
>
> staff:\
> :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\
> :umask=027:\
> :datasize-cur=....
>
>
> $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^#
> Defaults env_keep +="DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE"
> Defaults env_keep +="MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE"
> Defaults env_keep +="PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR"
> Defaults env_keep +="RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL"
> Defaults env_keep +="WRKOBJDIR"
> Defaults always_set_home, ignore_dot, use_loginclass
>
>
>
> login(1):
>
> login enters information into the environment (see environ(7)) specifying
> the user's home directory (HOME), command interpreter (SHELL), search
> path (PATH), terminal type (TERM), and user name (both LOGNAME and USER).
>
> ENVIRONMENT
> login sets the following environment variables:
>
> HOME
> MAIL
>
> sudo(8):
>
> Command Environment
> ...................... On BSD systems, if the use_loginclass option is
> enabled, the environment is initialized based on the path and setenv
> settings in /etc/login.conf. The new environment contains the TERM,
> PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
> addition to variables from the invoking process permitted by the
> env_check and env_keep options. This is effectively a whitelist for
> environment variables.
>
>
>
> How can I become another user - without knowing their password,
> and gain their 'natural' environment?
>
> e.g. from wheel group to a users group member.
>
> 'su -l username' & 'login username' require their password.
>
> I thought 'sudo -H -i -u username' would do it.
>
> Any suggestions on what else I need to configure?
----- End forwarded message -----
More information about the sudo-users
mailing list