topic Re: sudo Runas_Alias needs to source .shrc variables in Operating System - HP-UX

sudo Runas_Alias needs to source .shrc variables

Mike Patterson — Thu, 11 Aug 2011 16:04:38 GMT

I'm configuring a sudo Runas_Alias in the sudoers file on a hp-ux 11.31 system. The

goal is to allow some hp-ux accounts to sudo to a service account and run commands as

that user. Here's the related sudoers entries:

User_Alias     DMSTAFF = %dmstaff
Runas_Alias    DMALIAS = dmadmin
DMSTAFF        ALL = (DMALIAS) NOPASSWD: ALL

For example, testuser1 belongs to the dmstaff hp-ux group, so he is allowed to run

commands as dmadmin like this:

sudo -u dmadmin [some command]
or
sudo -Hu dmadmin [some command] (preserve's target user's home dir)

It works very well and sudo commands are logged to our sudo.log. However, sudo is not sourcing important env variables that dmadmin requires. These env variables are normally sourced from dmadmin's .shrc file in his home directory.

We can simple allow the users to sudo su - dmadmin by defining a simple Cmnd_Alias,

but in that case subsequent commands will not be logged to the sudo.log - a dept.

requirement.

Any ideas?

Re: sudo Runas_Alias needs to source .shrc variables

Matti_Kurkela — Fri, 12 Aug 2011 06:27:18 GMT

If your version of sudo is recent enough to support the -i option, try "sudo -u dmadmin -i [some command]".

If you don't use either -H or -i, the target user's shell is likely to be looking for the .shrc file from the original user's home directory, not in dmadmin's home directory.

It would also be important to know which shell the dmadmin user is configured to use: ".shrc" is not one of the standard HP-UX /usr/bin/sh login scripts. Perhaps it's executed because the ENV variable is set in some other login script? If so, please keep in mind that modern versions of sudo will remove any environment variables it is not specifically configured to keep. You may have to add something like this to your sudoers file:

Defaults>DMALIAS env_keep+=ENV

(Unless I'm mistaken, that should tell sudo to add ENV to the list of preserved environment variables when sudoing to users listed in Runas_Alias DMALIAS. A relatively recent version of sudo might also be required to support this syntax.)