0

Putting PATH variable into sudo su - USER occurs an error:

USER1@SERVER:~:$ sudo PATH=$PATH su - USER2 sudo: sorry, you are not allowed to set the following environment variables: PATH

Following the manual,

The user specified environment variables on the command line that were not allowed by sudoers.

It seems that giving env variables is not allowed.

However, when I try with other commands,

USER1@SERVER:~:$ sudo PATH=$PATH printenv PATH {PATH OF USER1} 
USER1@SERVER:~:$ sudo PATH=$PATH -su USER2 USER2@SERVER:~:$

giving environment variables doesn't make any error.

I know that there are other good ways to switch to USER2, but I want to understand more about sudo/sudoers by figuring out why this happens.

Why does sudo PATH=$PATH su - USER2 make an error, while sudo PATH=$PATH -su USER2 works fine?

Some lines from /etc/sudoers that might be relevant.

Cmnd_Alias SU = /usr/bin/sudoedit, /usr/sbin/visudo, /sbin/sulogin, /sbin/sushell Cmnd_Alias SWITCH = !/bin/su, !/bin/su -, /bin/su [-] *, !/bin/su - *root, !/bin/su root ... Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR ..." # doesn't contain PATH / I found that putting env variables of this list doesn't make an error. ... USER1 ALL=(ALL) NOPASSWD: ALL, !SU, SWITCH, !KRNMOD, !SHUTDOWN, !REBOOT, !HALT, !INIT 
[USER1@SERVER ~]$ sudo -l Matching Defaults entries for USER1 on SERVER: syslog=auth, log_year, logfile=/var/log/sudo.log, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" User USER1 may run the following commands on SERVER: (ALL) NOPASSWD: ALL, !/usr/bin/sudoedit, !/usr/sbin/visudo, !/sbin/sulogin, !/sbin/sushell, !/bin/su, !/bin/su -, /bin/su [-] *, !/bin/su - *root, !/bin/su root, !/sbin/insmod, !/sbin/rmmod, !/sbin/depmod, !/sbin/modprobe, !/sbin/shutdown, !/sbin/poweroff, !/usr/bin/reboot, !/usr/bin/consolehelper, !/usr/bin/halt, !/sbin/init
Improve this question

1 Answer 1

Reset to default
0

The error about the inclusion of PATH denying your command is actually somewhat misleading.

The fundamental error is that your definition denies sudo su - USER2, so no matter what variables you try to define you will still be denied access. It's just that a different error message is provided.

Nevertheless, the issue is almost entirely irrelevant as you have a glaring hole in your sudoers definition that allows a trivial escape to root:

sudo -s

At this point you can do whatever you like without regard to sudo's built-in controls anyway

Improve this answer
2
  • (I cannot modify sudoers file. It's only allowed by the server master, I'm just one of the users.) When checked with sudo -l, /bin/su [-] * is allowed. And passing a variable which is contained in env_keep doesn't make any error. I want to know which file/line decides su not to allow passing a variable. Commented May 12, 2021 at 5:24
  • Like I said in your other question it doesn't really matter. The section trying to prevent certain commands being run does not work. Trying to fix the $PATH issue without adding that is like adding a lock to a window when the doorway next to it has no door Commented May 12, 2021 at 6:45

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.