Bugzilla – Bug 394
sudo -u <user> -i -- -c "<command>": Stopped working with sudo 1.7.0
Last modified: 2010-02-12 07:41:38 MST
Hi, I've got some scripts (used by several people on different Linux distributions) that use sudo to indirectly run some command in the context of another user, with the "indirection" via a login shell for that user to get all its environment variables set correctly. Pattern: sudo -u <user> -i -- -c "<command>" (I found the proposal in http://www.sudo.ws/pipermail/sudo-users/2007-October/003351.html) The mentioned "sudo" call worked fine e.g. with versions - 1.6.8p12 (SLES 10) - 1.6.9p17 (SLES 11) But now it (kind of) fails with - version 1.7.0 (Ubuntu 9.10; package version 1.7.0-1ubuntu2, see http://packages.ubuntu.com/karmic/sudo) - version 1.7.2p2 (current stable version from http://www.sudo.ws/sudo/dist/sudo-1.7.2p2.tar.gz, built on Ubuntu 9.10) The result is then: =============================================================== -bash: - : invalid option Usage: -bash [GNU long option] [option] ... -bash [GNU long option] [option] script-file ... GNU long options: --debug (...) =============================================================== I ran the same command via "strace" to see how the login shell (in this case "bash") is actually called, i.e. which parameters it gets. To reproduce the issue, I simply chose "vi" as command to run. Parameters - when the call works fine: execve("/bin/bash", ["-bash", "-c", "vi"] - when the call fails: execve("/bin/bash", ["-bash", "-c", "-c vi"] The difference is obvious: When it fails, "-c" (as the first parameter that sudo is supposed to simply pass through to the login shell) is passed twice to the login shell - not only separately as first parameter (as expected), but additionally as kind of prefix to the second parameter. By changing "-c" in the "sudo" call to e.g. "-cx" and running it again through strace, the actual call becomes execve("/bin/bash", ["-bash", "-c", "-cx vi"] so the issue is not that the passed parameter "-c" is simply duplicated, but that sudo adds its own "-c" as first parameter and then passes everything behind "--" in its command line as single additional parameter to "<command>". Please advise whether this is intended or a bug. If intended, please tell me how the "sudo" call is supposed to look like to achieve the same behavior of the mentioned call (hopefully in a way that does not depend on the sudo version, as I have to support different ones). Thanks and best regards Heiko
P.S. Searching the web for this issue (which is rather hard because of the amount of important special characters, of course), I found at least one occurrence: http://wiki.zimbra.com/index.php?title=GNR_on_FreeBSD_7#READ_ME_-_WARNING_-_READ_ME (referenced from http://www.zimbra.com/forums/installation/37115-solved-freebsd-8-amd-64-problems.html)
Starting with sudo 1.7.0 the correct way to do this kind of thing is: sudo -u <user> -i <command> sudo will now automatically pass the -c option to the shell to run the command.