Bug 434 – sudo -i requires login shell entry in sudoers

Bug 434 - sudo -i requires login shell entry in sudoers


Summary:	sudo -i requires login shell entry in sudoers

Status:	RESOLVED INVALID

Product:	Sudo
Classification:	Unclassified
Component:	Sudo
Version:	1.7.4
Hardware:	Sun Solaris 2.x

Importance:	low normal
Assigned To:	Todd C. Miller

URL:

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2010-08-30 17:57 MDT by David.Wood
Modified:	2010-08-31 07:24 MDT (History)
CC List:	0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description David.Wood 2010-08-30 17:57:19 MDT

# tail -1 /usr/local/etc/sudoers
joeuser ALL=(root) NOPASSWD:/usr/bin/echo

$ whoami
joeuser

$ sudo /usr/bin/echo hello
hello

$ sudo -i /usr/bin/echo hello
Password for joeuser (sudo):
Sorry, user joeuser is not allowed to execute '/bin/bash -c /usr/bin/echo hello' as root on is5.nyc.deshaw.com.

Shouldn't the command check be against /usr/bin/echo?

Comment 1 Todd C. Miller 2010-08-31 07:24:33 MDT

That behavior is correct.  The only way to run a command with the a login-style environment is to run it via a login shell.  The -i flag is really just shorthand for doing that.  Since the login shell may be influenced by the environment or by flags passed in it would not be secure to allow any user to run any command via "sudo -i" unless they are explicitly allowed to run it via the shell.