Bugzilla – Bug 527
"sudo -i" doesn't use variables from /etc/login.conf
Last modified: 2012-02-21 06:13:45 MST
Hello, $ cat /etc/login.conf ... class1: \ ... :setenv=MAIL=/var/mail/$,BLOCKSIZE=1G,EDITOR=/usr/bin/ee,TMPDIR=/var/tmp,PAGER=less:\ ... :path=~/bin /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /ZZZ/bin /ZZZ/bin/scripts:\ ... $ sudo -u userwithclass1 -i $ env | egrep '(BLOCK|PATH)' PATH=/usr/bin:/bin:/usr/sbin:/sbin: "su -" works as expected: $ sudo su - userwithclass1 $ env | egrep '(BLOCK|PATH)' BLOCKSIZE=1G PATH=/home/userwithclass1/bin:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/ZZZ/bin:/ZZZ/bin/scripts
$ uname -rs FreeBSD 8.2-STABLE $ sudo -V Sudo version 1.8.1p2 Sudoers policy plugin version 1.8.1p2 Sudoers file grammar version 40 Sudoers I/O plugin version 1.8.1p2
Sudo 1.8.4 will contain a fix for this. It's a bit more complicated that just specifying LOGIN_SETENV to setusercontext() since the plugin is responsible for setting up the environment pointer that the command will be executed with,
I've tested your fix from hg repository. It works fine for "setenv" option. However, it looks like you hard-coded parsing and support of "setenv" option in sudo. I believe it is not the best way to support login class variables because 1). there are actually a lot of options in login.conf which affect environment variables ("path", "manpath", "lang" & etc., you can see all of them in man login.conf <http://www.freebsd.org/cgi/man.cgi?query=login.conf>) 2). there are also other login class options which should be good to support ("priority", "umask") 3). doing it in sudo is fragile. FreeBSD developers can add a new option at every moment. May be it is better to use setusercontext with LOGIN_SETALL somehow? $ grep use_loginclass /usr/local/etc/sudoers Defaults>testuser use_loginclass $ pw usershow testusertestuser:*:4199:4348:testclass1:0:0:User &:/home/testuser:/bin/sh $ awk '/^$/ && f{exit 0} /^testclass1:/ {f=1} f {print}' /etc/login.conf testclass1:\ :datasize-cur=3000M:\ :datasize-max=3000M:\ :memoryuse-cur=2000M:\ :memoryuse-max=2000M:\ :openfiles-cur=6000:\ :openfiles-max=6000:\ :maxproc-cur=6000:\ :maxproc-max=6000:\ :setenv=MAIL=/var/mail/$,BLOCKSIZE=1G,TMPDIR=/var/tmp,PAGER=less\ :umask=002:\ :path=~/bin /bin /usr/bin /usr/local/bin /sbin /usr/sbin /usr/local/sbin /ZZZ/bin /ZZZ/bin/scripts:\ :manpath=/QQQ:\ :lang=ru_RU.UTF-8:\ :timezone=Europe/Moscow:\ :tc=default: $ su - testuser $ env USER=testuser MAIL=/var/mail/testuser HOME=/home/testuser PAGER=less TMPDIR=/var/tmp BLOCKSIZE=1G TERM=xterm-256color PATH=/home/testuser/bin:/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin:/ZZZ/bin:/ZZZ/bin/scripts LANG=ru_RU.UTF-8 SHELL=/bin/sh PWD=/place/home/testuser TZ=Europe/Moscow MANPATH=/QQQ $ sudo -u testuser -i $ env SUDO_GID=4055 USER=testuser MAIL=/var/mail/testuser HOME=/home/testuser PAGER=less TMPDIR=/var/tmp SUDO_UID=4054 LOGNAME=testuser BLOCKSIZE=1G USERNAME=testuser TERM=xterm-256color PATH=/home/qwerty/.bin:/usr/bin:/bin:/usr/local/bin:/sbin:/usr/sbin LANG=en_US.UTF-8 SUDO_COMMAND=/bin/sh SHELL=/bin/sh SUDO_USER=qwerty PWD=/place/home/testuser
The priority settings are already supported (see src/sudo.c). The issue with the environment is that the environment a command executes with is controlled by the policy module, which cannot call setusercontext() itself.
Fixed in sudo 1.8.4