[TriLUG] sudo runas different user

[Cristóbal Palmer]

On Wednesday, April 24, 2013 at 5:50 PM, Matthew Opoka wrote:
>  
> I'm trying to run a list of commands in sudo as a different user. That part I have working but I can't get sudo to run the commands with the target user's gnarlyenviroment. Any ideas on the best way to do this?

First off I think this is perfectly on-topic for our list, so I've stripped the OT from the subject line. :)

Now to address the question…. we have an env_keep that gets populated into our sudoers template, so a basic machine with some customization might get a line like this in /etc/sudoers:

Defaults env_keep += "EDITOR"

Please note that I'm not recommending you do this. If I can "sudo vim" I can shell out from there, for example. Anyway….

From my copy of sudo(8) under SECURITY NOTES:

-----8< snip 8<-----

       There are two distinct ways to deal with environment variables. By default, the env_reset sudoers option is enabled. This
causes commands to be executed with a minimal environment containing TERM, PATH, HOME, SHELL, LOGNAME, USER and USERNAME in
addition to variables from the invoking process permitted by the env_check and env_keep sudoers options. There is effectively
a whitelist for environment variables.
If, however, the env_reset option is disabled in sudoers, any variables not explicitly denied by the env_check and env_delete
options are inherited from the invoking process. In this case, env_check and env_delete behave like a blacklist. Since it is
not possible to blacklist all potentially dangerous environment variables, use of the default env_reset behavior is encouraged.



-----8< snip 8<-----

And later...

-----8< snip 8<-----

Environment variables to be set for the command may also be passed on the command line in the form of VAR=value, e.g.
LD_LIBRARY_PATH=/usr/local/pkg/lib.



-----8< snip 8<-----

I'd also suggest reviewing sudoers(5).

Cheers!
--  
Cristóbal Palmer
cmpalmer.org