3

For a line that I added to /etc/sudoers, for example:

t ALL=(ALL) NOPASSWD: /path/to/myscript

/path/to is in PATH of the current user t, but not in PATH of root.

$ sudo /path/to/myscript

works without password, but do I need to specify the pathname of the script every time I run the script with sudo?

$ sudo myscript [sudo] password for t: sudo: changeCpuFreq.sh: command not found

doesn't work even with password, because myscript's path isn't in PATH of root.

$ sudo -E env "PATH=$PATH" myscript [sudo] password for t:

works with password, because PATH of t is copied to that of root, but the problem is that it still needs password.

Thanks.

Improve this question

2 Answers 2

Reset to default
1

You do not need per se to define the full pathname in sudoers; however you should do it for security reasons.

Otherwise, it is fairly easy to gain root privileges; you just need to invoke another binary with the same name, and presto, instant root privileges.

Improve this answer
8
  • Thanks. How do you achieve "not need per se to define the full pathname" in /etc/sudoers? My post is whether I need to specify pathname when running it with sudo. Commented Apr 2, 2018 at 0:33
  • You do not use the full pathname, and configure a restricted Defaults secure_path; nonetheless defining the full path gives you an extra layer of security. Commented Apr 2, 2018 at 0:37
  • Do I need to specify pathname to the command, when I run it with sudo? Commented Apr 2, 2018 at 0:40
  • If the pathname is there as in your first example, you need to do it, unless you create an alias. See this for other security considerations: openwall.com/lists/owl-users/2004/10/20/6 Commented Apr 2, 2018 at 0:42
  • do you mean if pathname exists in /etc/sudoers, then it must also be specified when running the command? How do you "not use the full pathname, and configure a restricted Defaults secure_path"? Commented Apr 2, 2018 at 0:47
0

You can customize sudo's search path for specific sudoers (or target users, commands, hosts, etc.) by editing either /etc/sudoers or one of /etc/sudoers.d/*.

CAUTION!!! If your root account is disabled, the use of visudo is strongly advised when editing sudo's configuration.

The following defines a different search path for sudoer myuser:

Defaults:myuser secure_path="/path/to:/usr/sbin:/usr/bin:/sbin:/bin"

The following defines a different search path when sudoing as root

Defaults>root secure_path="/path/to:/usr/sbin:/usr/bin:/sbin:/bin"

The following defines a different search path only when calling /path/to/myscript through sudo:

Defaults!/path/to/myscript secure_path="/path/to:/usr/sbin:/usr/bin:/sbin:/bin"

Any of the above will integrate nicely with your "NOPASSWD" rule, and no path prefix will be needed when calling sudo myscript.

Improve this answer
1
  • Oh, shoots... hadn't realized it was an old question. Oh, well... someone else may need this information Commented Jul 28, 2022 at 20:38

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.