[sudo-users] documentation clarification

Terry Inzauro terry at remote-shell.org
Mon Sep 14 17:08:45 MDT 2015 

Recently, I discovered a behavior that I don't  understand. When  
allowing a user to run a command as root (with with the -i switch), I  
noticed that roots shell must also be listed in the sudo command  
definition.

Command:
sudo -i /path/to/somecommand somearg

/etc/sudoers configuration:
Defaults:APP_USERS      requiretty,!lecture
Host_Alias APP_HOSTS = *
User_Alias APP_USERS = foouser, baruser
#DOESN'T WORK
Cmnd_Alias APP_BIN = /path/to/somecommand somearg
# WORKS
cmnd_Alias APP_BIN = /path/to/somecommand somearg, /bin/bash

APP_USERS APP_HOSTS = (root)  APP_BIN


Log:
#DOESN'T WORK
Sep 14 22:35:47 2015 : foouser : HOST=somehost : command not allowed ;  
TTY=pts/1 ; PWD=/home/foouser ; USER=root ; COMMAND=/bin/bash -c  
/path/to/somecommand somearg

#WORKS
Sep 14 22:34:59 2015 : foouser : HOST=somehost : TTY=pts/1 ;  
PWD=/home/foouser ; USER=root ; TSID=000008 ; COMMAND=/bin/bash -c  
/path/to/somecommand somearg


Sudo version 1.8.6p7
Configure options: --build=x86_64-redhat-linux-gnu  
--host=x86_64-redhat-linux-gnu --program-prefix=  
--disable-dependency-tracking --prefix=/usr --exec-prefix=/usr  
--bindir=/usr/bin --sbindir=/usr/sbin --sysconfdir=/etc  
--datadir=/usr/share --includedir=/usr/include --libdir=/usr/lib64  
--libexecdir=/usr/libexec --localstatedir=/var  
--sharedstatedir=/var/lib --mandir=/usr/share/man  
--infodir=/usr/share/info --prefix=/usr --sbindir=/usr/sbin  
--libdir=/usr/lib64 --docdir=/usr/share/doc/sudo-1.8.6p7  
--with-logging=syslog --with-logfac=authpriv --with-pam  
--with-pam-login --with-editor=/bin/vi --with-env-editor  
--with-ignore-dot --with-tty-tickets --with-ldap  
--with-ldap-conf-file=/etc/sudo-ldap.conf --with-selinux  
--with-passprompt=[sudo] password for %p:  --with-linux-audit  
--with-sssd
Sudoers policy plugin version 1.8.6p7
Sudoers file grammar version 42

Is it possible to allow a user to run a command as root with roots  
environment, whithout adding the shell to the command definition?

Note:
Based on the documentation for sudo -i, I did not expect this behavior.



kind regards,

Terry

More information about the sudo-users mailing list