[sudo-users] sudo -u & environment help

Craig R. Skinner skinner at britvault.co.uk
Mon May 19 14:45:03 MDT 2014


Hi sudoers,

$ sudo -V
Sudo version 1.7.2p8

$ uname -a
OpenBSD teak.britvault.co.uk 5.4 GENERIC#37 i386


sudo -Hiu <user> not setting  $PATH, $MAIL & umask:
http://thread.gmane.org/gmane.os.openbsd.misc/211823/


Comments?
Craig.


----- Forwarded message -----

To clarify, there are no ~/. shell dot files.

$PATH & umask are set in /etc/login.conf
$MAIL is the default set by login(1)

/etc/profile sources /etc/ksh.kshrc, which just sets $PS1,
window decor & some aliases, nothing major.

This arrangement works fine when logging in directly,
or via "sudo su -l user"

>From my reading of sudo(8), I thought the same environment could be
gained with something like "sudo -H -i -u username".

Am I missing sudo flags or settings in /etc/sudoers?


On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote:
> Hi,
> 
> When sudo'ing to another user, how can I obtain all of their environment
> settings as they receive when logging in themselves?
> 
> When I use sudo in this manner, settings such as $PATH, $MAIL & umask
> aren't being honoured:
> 
> 
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> craig
> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin
> /var/mail/craig
> 027
> 
> 
> 
> Here, $PATH, $MAIL & umask are unchanged:
> 
> $ sudo -H -i -u david
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> david
> /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin
> /var/mail/craig
> 027
> 
> 
> Compare the difference when logging in as that user:
> 
> $ login david
> ...
> $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
> david
> /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin
> /var/mail/david
> 022
> 
> 
> 
> 
> /etc/login.conf:
> default:\
> 	:passwordcheck=/usr/local/bin/pwqcheck -1:\
> 	:passwordtries=0:\
> 	:path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\
> 	:umask=022:\
> 	:datasize-cur=....
> 
> staff:\
> 	:path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\
> 	:umask=027:\
> 	:datasize-cur=....
> 
> 
> $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^#
> Defaults env_keep +="DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE"
> Defaults env_keep +="MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE"
> Defaults env_keep +="PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR"
> Defaults env_keep +="RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL"
> Defaults env_keep +="WRKOBJDIR"
> Defaults always_set_home, ignore_dot, use_loginclass
> 
> 
> 
> login(1):
> 
>      login enters information into the environment (see environ(7)) specifying
>      the user's home directory (HOME), command interpreter (SHELL), search
>      path (PATH), terminal type (TERM), and user name (both LOGNAME and USER).
> 
> ENVIRONMENT
>      login sets the following environment variables:
> 
>      HOME
>      MAIL
> 
> sudo(8):
> 
>   Command Environment
>      ......................  On BSD systems, if the use_loginclass option is
>      enabled, the environment is initialized based on the path and setenv
>      settings in /etc/login.conf.  The new environment contains the TERM,
>      PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
>      addition to variables from the invoking process permitted by the
>      env_check and env_keep options.  This is effectively a whitelist for
>      environment variables.
> 
> 
> 
> How can I become another user - without knowing their password,
> and gain their 'natural' environment?
> 
> e.g. from wheel group to a users group member.
> 
> 'su -l username' & 'login username' require their password.
> 
> I thought 'sudo -H -i -u username' would do it.
> 
> Any suggestions on what else I need to configure?


----- End forwarded message -----


More information about the sudo-users mailing list