[Bug 673669] New: invoking commands with sudo behaves different from normal user / root
https://bugzilla.novell.com/show_bug.cgi?id=673669 https://bugzilla.novell.com/show_bug.cgi?id=673669#c0 Summary: invoking commands with sudo behaves different from normal user / root Classification: openSUSE Product: openSUSE 11.4 Version: Factory Platform: x86-64 OS/Version: SuSE Other Status: NEW Severity: Normal Priority: P5 - None Component: Basesystem AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: casualprogrammer@opensuse.org QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b11) Gecko/20110203 Firefox/4.0b11 Invoking a command in a terminal as "normal" user like, for instance, hwinfo --help produces:
hwinfo --help Absolute path to 'hwinfo' is '/usr/sbin/hwinfo', so running it may require superuser privileges (eg. root).
The same as root:
# hwinfo --help
Usage: hwinfo [OPTIONS]
Probe for hardware.
Options:
--
sudo hwinfo --help root's password: sudo: hwinfo: command not found
Only when the absolute path is given, sudo will do as told. Consecutive trys then work as expected, as long as the same gnome-terminal is used. Opening a new terminal reproduces the ill behaviour. Reproducible: Always Steps to Reproduce: 1. open a gnome-terminal 2. enter hwinfo --help (or other command restricted to root) 3. repeat prefixed with sudo Actual Results: see above Expected Results: to behave identical to "normal" user or root -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c1
--- Comment #1 from Casual J. Programmer
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c
wei wang
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c
Petr Uzel
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c2
Petr Uzel
sudo hwinfo --help root's password: sudo: hwinfo: command not found
That's because /usr/sbin/ is not in the PATH. You have (at least) two options how to make it work without specifying full path: 1.) Add following line to /etc/sudoers (using visudo as root). Defaults secure_path="/bin:/sbin:/usr/bin:/usr/sbin" This will make all commands run with 'sudo' to have this set as $PATH. Of course you can add also other directories if you need to. 2.) Add /sbin/ and /usr/sbin/ to default $PATH for all users, not just root (I use this personally). Just insert the following line to /etc/profile.local: PATH="$PATH:/sbin/:/usr/sbin/"
Only when the absolute path is given, sudo will do as told. Consecutive trys then work as expected, as long as the same gnome-terminal is used.
Opening a new terminal reproduces the ill behaviour.
There's nothing ill - this is the default sudo's behavior. You can disable the per-tty authentication by setting "Defaults !tty_tickets" in /etc/sudoers (man 5 sudoers). Please note that this setting will allow any process to hijack your sudo session. HTH -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c3
Casual J. Programmer
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c4
Petr Uzel
Who on earth would suspect "> sudo bla" to behave differently from "# bla" ?
Me, for example, but perhaps I'm just weird :) Anyway, you made me look further into this. In sudo, we have sudo-1.7.1-secure_path.diff, which should set sane PATH for programs run with sudo, except that it does not seem to work. Moreover, it seems also useless since there is a possibility to set this using secure_path in /etc/sudoers. Therefore, I would propose the following: - drop *-secure_path.diff - add `Defaults secure_path="/usr/sbin:/sbin:/usr/bin:/bin"` to default /etc/sudoers. That way, we have tunable secure_path with sane default and no additional suse-specific patch. Dear security team: is this change OK from your POV? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c5
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c6
--- Comment #6 from Petr Uzel
that will break the use case where a program can only be found in the calling user's $PATH, e.g. ~/bin, wouldn't it?
Yes, it would, in the default settings.
A smarter solution would be something like su does (also via suse patch), it simply adds /sbin to $PATH if it's missing.
Do you really think that sudo has to be that smart, given secure_path is easily configurable, even on per-user basis? BTW that's what Fedora uses too AFAICS. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c
Petr Uzel
https://bugzilla.novell.com/show_bug.cgi?id=673669
https://bugzilla.novell.com/show_bug.cgi?id=673669#c8
Petr Uzel
participants (1)
-
bugzilla_noreply@novell.com