HPE Community
Operating System - HP-UX
1830657 Members
28096 Online
110015 Solutions
New Discussion

Sudo giving problem

 
SOLVED
Go to solution
Jeeshan
Honored Contributor

‎11-30-2009 11:39 PM

‎11-30-2009 11:39 PM

Sudo giving problem

OS: 11.23
Sudo version: 1.6.9p5.001

I have an application super user name “ops”, which has some environment variables. And all application binary is executable and owned by “ops” user. I want to create some individual user ID’s who are able to run “ops” binaries using his own environment variables.

But unfortunately, when I run “env“ command of the individual user’s its showing the variables as like as of the super user “ops”. But when I run command “env” using sudo, i.e. sudo –u ops env, it shows only the default variables.

But in my other servers (OS: 11iv1) it showing correctly.

Where would be the problem?
a warrior never quits
0 Kudos
8 REPLIES 8
Matti_Kurkela
Honored Contributor

‎12-01-2009 12:27 AM

‎12-01-2009 12:27 AM

Solution

Re: Sudo giving problem

Because of various security exploits, newer versions of sudo will sanitize the environment variables when switching to another user by default. All environment variables that are not in a specific list of allowed variables are removed. By default, the list is very short indeed.

Older versions of sudo are less strict in this. If you want to know exactly when the change did happen, read the release history document of sudo.

With the new versions, you must explicitly list in the sudoers file the environment variables that your users are allowed to pass to the ops user. See "man sudoers" for more details.

The necessary sudoers configuration line would probably be something like this:

Defaults > ops env_keep+="VARIABLE_NAME1 VARIABLE_NAME2"

MK
MK
0 Kudos
Jeeshan
Honored Contributor

‎12-01-2009 11:18 PM

‎12-01-2009 11:18 PM

Re: Sudo giving problem

Thanks for your point.

Apart from this, I have a file contains huge number of Environment variables. It's troublesome job to put all environment variables as you said.

How can I configure sudoers with the specific environment variables files?
a warrior never quits
0 Kudos
Dennis Handly
Acclaimed Contributor

‎12-01-2009 11:38 PM

‎12-01-2009 11:38 PM

Re: Sudo giving problem

>MK: With the new versions, you must explicitly list in the sudoers file the environment variables that your users are allowed to pass to the ops user.

I thought there was an option to allow all variables to pass through?
We had one application stop working on the new sudo. We either had to use that option or better, pass that one variable on the command line.
0 Kudos
Jeeshan
Honored Contributor

‎12-01-2009 11:44 PM

‎12-01-2009 11:44 PM

Re: Sudo giving problem

Hey Dennis, what was the option?

Can you clear that?
a warrior never quits
0 Kudos
Dennis Handly
Acclaimed Contributor

‎12-02-2009 01:09 AM

‎12-02-2009 01:09 AM

Re: Sudo giving problem

>what was the option?

See -E in the manual:
http://www.sudo.ws/sudo/man/sudo.html#options

It mentions:
It is only available when either the matching command has the SETENV tag or the setenv option
0 Kudos
Jeeshan
Honored Contributor

‎01-17-2010 08:28 PM

‎01-17-2010 08:28 PM

Re: Sudo giving problem

yeah the -E option works.

But user is habituated with only sudo -u .

How can I use the above syntax without using -E?
a warrior never quits
0 Kudos
johnsonpk
Honored Contributor

‎01-17-2010 08:43 PM

‎01-17-2010 08:43 PM

Re: Sudo giving problem

Hi Jeeshan,


Create an alias for sudo something like

alias sudo="sudo -E"

You need to put the above command in the proposed user's .profile to have it permanent over logins

Regards
Johnson
0 Kudos
Jeeshan
Honored Contributor

‎01-18-2010 12:56 AM

‎01-18-2010 12:56 AM

Re: Sudo giving problem

Good replies!!!
a warrior never quits
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.