Bug 434

Summary: sudo -i requires login shell entry in sudoers
Product: Sudo Reporter: David.Wood
Component: SudoAssignee: Todd C. Miller <Todd.Miller>
Status: RESOLVED INVALID    
Severity: normal    
Priority: low    
Version: 1.7.4   
Hardware: Sun   
OS: Solaris 2.x   

Description David.Wood 2010-08-30 17:57:19 MDT 
# tail -1 /usr/local/etc/sudoers
joeuser ALL=(root) NOPASSWD:/usr/bin/echo

$ whoami
joeuser

$ sudo /usr/bin/echo hello
hello

$ sudo -i /usr/bin/echo hello
Password for joeuser (sudo):
Sorry, user joeuser is not allowed to execute '/bin/bash -c /usr/bin/echo hello' as root on is5.nyc.deshaw.com.

Shouldn't the command check be against /usr/bin/echo?
Comment 1 Todd C. Miller 2010-08-31 07:24:33 MDT 
That behavior is correct.  The only way to run a command with the a login-style environment is to run it via a login shell.  The -i flag is really just shorthand for doing that.  Since the login shell may be influenced by the environment or by flags passed in it would not be secure to allow any user to run any command via "sudo -i" unless they are explicitly allowed to run it via the shell.