[sudo-users] sudo -u & environment help

Shawn McMahon syberghost at gmail.com
Mon May 26 07:33:01 MDT 2014 

Run sudo -V as root:

sudo sudo -V

That'll show you how it was compiled, in addition to how it's
configured. Especially:

sudo sudo -V | grep -i path


On Mon, May 26, 2014 at 4:49 AM, Craig R. Skinner
<skinner at britvault.co.uk> wrote:
> ping
>
> On 2014-05-19 Mon 21:45 PM |, Craig R. Skinner wrote:
>> Hi sudoers,
>>
>> $ sudo -V
>> Sudo version 1.7.2p8
>>
>> $ uname -a
>> OpenBSD teak.britvault.co.uk 5.4 GENERIC#37 i386
>>
>>
>> sudo -Hiu <user> not setting  $PATH, $MAIL & umask:
>> http://thread.gmane.org/gmane.os.openbsd.misc/211823/
>>
>>
>> Comments?
>> Craig.
>>
>>
>> ----- Forwarded message -----
>>
>> To clarify, there are no ~/. shell dot files.
>>
>> $PATH & umask are set in /etc/login.conf
>> $MAIL is the default set by login(1)
>>
>> /etc/profile sources /etc/ksh.kshrc, which just sets $PS1,
>> window decor & some aliases, nothing major.
>>
>> This arrangement works fine when logging in directly,
>> or via "sudo su -l user"
>>
>> From my reading of sudo(8), I thought the same environment could be
>> gained with something like "sudo -H -i -u username".
>>
>> Am I missing sudo flags or settings in /etc/sudoers?
>>
>>
>> On 2014-04-04 Fri 11:30 AM |, Craig R. Skinner wrote:
>> > Hi,
>> >
>> > When sudo'ing to another user, how can I obtain all of their environment
>> > settings as they receive when logging in themselves?
>> >
>> > When I use sudo in this manner, settings such as $PATH, $MAIL & umask
>> > aren't being honoured:
>> >
>> >
>> > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
>> > craig
>> > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin
>> > /var/mail/craig
>> > 027
>> >
>> >
>> >
>> > Here, $PATH, $MAIL & umask are unchanged:
>> >
>> > $ sudo -H -i -u david
>> > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
>> > david
>> > /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin:/usr/local/sbin:/usr/site/bin:/usr/site/sbin:/home/craig/bin
>> > /var/mail/craig
>> > 027
>> >
>> >
>> > Compare the difference when logging in as that user:
>> >
>> > $ login david
>> > ...
>> > $ echo $LOGNAME; echo $PATH; echo $MAIL; umask
>> > david
>> > /usr/bin:/bin:/usr/local/bin:/usr/site/bin:/home/david/bin
>> > /var/mail/david
>> > 022
>> >
>> >
>> >
>> >
>> > /etc/login.conf:
>> > default:\
>> >     :passwordcheck=/usr/local/bin/pwqcheck -1:\
>> >     :passwordtries=0:\
>> >     :path=/usr/bin /bin /usr/local/bin /usr/site/bin ~/bin:\
>> >     :umask=022:\
>> >     :datasize-cur=....
>> >
>> > staff:\
>> >     :path=/usr/bin /bin /usr/sbin /sbin /usr/local/bin /usr/local/sbin /usr/site/bin /usr/site/sbin ~/bin:\
>> >     :umask=027:\
>> >     :datasize-cur=....
>> >
>> >
>> > $ egrep 'env_|Defaults' /etc/sudoers | grep -v ^#
>> > Defaults env_keep +="DESTDIR DISTDIR EDITOR FETCH_CMD FLAVOR FTPMODE GROUP MAKE"
>> > Defaults env_keep +="MAKECONF MULTI_PACKAGES NOMAN OKAY_FILES OWNER PKG_CACHE"
>> > Defaults env_keep +="PKG_DBDIR PKG_DESTDIR PKG_PATH PKG_TMPDIR PORTSDIR"
>> > Defaults env_keep +="RELEASEDIR SHARED_ONLY SSH_AUTH_SOCK SUBPACKAGE VISUAL"
>> > Defaults env_keep +="WRKOBJDIR"
>> > Defaults always_set_home, ignore_dot, use_loginclass
>> >
>> >
>> >
>> > login(1):
>> >
>> >      login enters information into the environment (see environ(7)) specifying
>> >      the user's home directory (HOME), command interpreter (SHELL), search
>> >      path (PATH), terminal type (TERM), and user name (both LOGNAME and USER).
>> >
>> > ENVIRONMENT
>> >      login sets the following environment variables:
>> >
>> >      HOME
>> >      MAIL
>> >
>> > sudo(8):
>> >
>> >   Command Environment
>> >      ......................  On BSD systems, if the use_loginclass option is
>> >      enabled, the environment is initialized based on the path and setenv
>> >      settings in /etc/login.conf.  The new environment contains the TERM,
>> >      PATH, HOME, MAIL, SHELL, LOGNAME, USER, USERNAME and SUDO_* variables in
>> >      addition to variables from the invoking process permitted by the
>> >      env_check and env_keep options.  This is effectively a whitelist for
>> >      environment variables.
>> >
>> >
>> >
>> > How can I become another user - without knowing their password,
>> > and gain their 'natural' environment?
>> >
>> > e.g. from wheel group to a users group member.
>> >
>> > 'su -l username' & 'login username' require their password.
>> >
>> > I thought 'sudo -H -i -u username' would do it.
>> >
>> > Any suggestions on what else I need to configure?
>>
>>
>> ----- End forwarded message -----
> ____________________________________________________________
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
> http://www.sudo.ws/mailman/listinfo/sudo-users

More information about the sudo-users mailing list