sudo -i doesn't work anymore with specific permissions through sudoers file

Question

I had a bash script which called sudo -i -u user /bin/bla/whatever. That worked fine until the last update to CentOS 5.8. That's the corresponding entry in the sudoers file:

Runas_Alias TEST = user1, user2
Defaults:test always_set_home
test ALL=(TEST) NOPASSWD: /bin/bash -c /bin/bla/whatever, /bin/bla/whatever

If I used sudo -i it seems it called the command

"/bin/bash -c /bin/bla/whatever"

(regarding the secure log). Now, since the update, it seems to call

"/bin/bash -c \/bin\/bla\/whatever"

and therefore is not allowed to. I tried to change the line in the sudoers file to

test ALL=(TEST) NOPASSWD: /bin/bash -c /bin/bla/whatever, /bin/bla/whatever, /bin/bash -c \/bin\/bla\/whatever

but thats not allowed syntax, so I tried:

test ALL=(TEST) NOPASSWD: /bin/bash -c /bin/bla/whatever, /bin/bla/whatever, /bin/bash -c \\/bin\\/bla\\/whatever

That's valid syntax but doesn't work either.

If I use sudo -H -u user /bin/bla/whatever it works fine. Even if I allow /bin/bash in the sudoers file, but that would allow anything.....

Any ideas?

Erik

Answer 1

Just checked the sudo man page on my fedora 16 system and it says:

   -i [command]
               The -i (simulate initial login) option runs the shell specified by the password database entry of the target user as a login shell.  This means
               that login-specific resource files such as .profile or .login will be read by the shell.  If a command is specified, it is passed to the shell
               for execution via the shell's -c option.

So it does not appear to be necessary to specify bash -c in your sudoers command definition.

If you call the command as sudo -i /bin/bla/whatever you should need nothing more than the following in your sudoers file:

test ALL=(TEST) NOPASSWD: /bin/bla/whatever

I can reproduce the problem on my fedora 16 system, no changes to the sudoers file I tried had any effect. I cannot find any other configuration required to make this work. All I can say is to use '-H -u ...'.

Answer 2

Were you running sudo -i -u user /bin/bla/whatever with arguments? From man sudoers:

A simple file name allows the user to run the command with any arguments he/she wishes. However, you may also specify command line arguments (including wildcards). Alternately, you can specify "" to indicate that the command may only be run without command line arguments.

So once you add in the /bin/bash -c you are now specifying arguments and they must match exactly.

Here's an example sudoers line:

test ALL=(ALL) NOPASSWD: /bin/bash -c /bin/true, /bin/bash -c /bin/true *, /bin/true *

With that I can do:

sudo /bin/true
sudo /bin/true foo
sudo -u /bin/true
sudo -u /bin/true foo

But not sudo true because that becomes bash -c true which does not match bash -c /bin/true.