|
Bugzilla – Full Text Bug Listing |
| Summary: | "sudo -i" doesn't use variables from /etc/login.conf | ||
|---|---|---|---|
| Product: | Sudo | Reporter: | Valery Khromov <valery.khromov> |
| Component: | Sudo | Assignee: | Todd C. Miller <Todd.Miller> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | ||
| Priority: | low | ||
| Version: | 1.8.1 | ||
| Hardware: | PC | ||
| OS: | FreeBSD | ||
$ uname -rs FreeBSD 8.2-STABLE $ sudo -V Sudo version 1.8.1p2 Sudoers policy plugin version 1.8.1p2 Sudoers file grammar version 40 Sudoers I/O plugin version 1.8.1p2 Sudo 1.8.4 will contain a fix for this. It's a bit more complicated that just specifying LOGIN_SETENV to setusercontext() since the plugin is responsible for setting up the environment pointer that the command will be executed with, I've tested your fix from hg repository.
It works fine for "setenv" option.
However, it looks like you hard-coded parsing and support of "setenv" option in sudo.
I believe it is not the best way to support login class variables because
1). there are actually a lot of options in login.conf which affect environment variables ("path", "manpath", "lang" & etc., you can see all of them in man login.conf <http://www.freebsd.org/cgi/man.cgi?query=login.conf>)
2). there are also other login class options which should be good to support ("priority", "umask")
3). doing it in sudo is fragile. FreeBSD developers can add a new option at every moment.
May be it is better to use setusercontext with LOGIN_SETALL somehow?
$ grep use_loginclass /usr/local/etc/sudoers
Defaults>testuser use_loginclass
$ pw usershow testusertestuser:*:4199:4348:testclass1:0:0:User &:/home/testuser:/bin/sh
$ awk '/^$/ && f{exit 0} /^testclass1:/ {f=1} f {print}' /etc/login.conf
testclass1:\
:datasize-cur=3000M:\
:datasize-max=3000M:\
:memoryuse-cur=2000M:\
:memoryuse-max=2000M:\
:openfiles-cur=6000:\
:openfiles-max=6000:\
:maxproc-cur=6000:\
:maxproc-max=6000:\
:setenv=MAIL=/var/mail/$,BLOCKSIZE=1G,TMPDIR=/var/tmp,PAGER=less\
:umask=002:\
:path=~/bin /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /ZZZ/bin /ZZZ/bin/scripts:\
:manpath=/QQQ:\
:lang=ru_RU.UTF-8:\
:timezone=Europe/Moscow:\
:tc=default:
$ su - testuser
$ env
USER=testuser
MAIL=/var/mail/testuser
HOME=/home/testuser
PAGER=less
TMPDIR=/var/tmp
BLOCKSIZE=1G
TERM=xterm-256color
PATH=/home/testuser/bin:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/ZZZ/bin:/ZZZ/bin/scripts
LANG=ru_RU.UTF-8
SHELL=/bin/sh
PWD=/place/home/testuser
TZ=Europe/Moscow
MANPATH=/QQQ
$ sudo -u testuser -i
$ env
SUDO_GID=4055
USER=testuser
MAIL=/var/mail/testuser
HOME=/home/testuser
PAGER=less
TMPDIR=/var/tmp
SUDO_UID=4054
LOGNAME=testuser
BLOCKSIZE=1G
USERNAME=testuser
TERM=xterm-256color
PATH=/home/qwerty/.bin:/usr/bin:/bin:/usr/local/bin:/sbin:/usr/sbin
LANG=en_US.UTF-8
SUDO_COMMAND=/bin/sh
SHELL=/bin/sh
SUDO_USER=qwerty
PWD=/place/home/testuser
The priority settings are already supported (see src/sudo.c). The issue with the environment is that the environment a command executes with is controlled by the policy module, which cannot call setusercontext() itself. Fixed in sudo 1.8.4 |
Hello, $ cat /etc/login.conf ... class1: \ ... :setenv=MAIL=/var/mail/$,BLOCKSIZE=1G,EDITOR=/usr/bin/ee,TMPDIR=/var/tmp,PAGER=less:\ ... :path=~/bin /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /ZZZ/bin /ZZZ/bin/scripts:\ ... $ sudo -u userwithclass1 -i $ env | egrep '(BLOCK|PATH)' PATH=/usr/bin:/bin:/usr/sbin:/sbin: "su -" works as expected: $ sudo su - userwithclass1 $ env | egrep '(BLOCK|PATH)' BLOCKSIZE=1G PATH=/home/userwithclass1/bin:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/ZZZ/bin:/ZZZ/bin/scripts