Package: sudo Version: 1.8.2-1 Severity: important This issue may tie in with the change that closed #85123 and #85917 and opened #639841.
Once upon a time, I ran "su -", and it gave me a clean root login shell, with /sbin and /usr/sbin in its path. Then I switched to "sudo su -" or "sudo -H -s". Then I switched to "sudo -i", which was best, because it gave the same environment as "su -", but without having to use su. Now, when I run "sudo -i", I get the original user's $PATH. My immediate reaction is "that's broken", but OK, I will try to do the recommended change to sudoers: -Defaults env_reset +Defaults env_reset, secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" But this is definitely wrong: $ sudo -i root@dali:~# echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin root@dali:~# logout $ sudo -i -u fred fred@dali:~$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin So what am I supposed to do about this? sudoers revolves around the user you're switching *from*, not the user you're switching *to*. AFAICT I need to do something like this: Defaults env_reset -root ALL=(ALL:ALL) NOPASSWD:ALL +root ALL=(root:ALL) SECURE_PATH:"..." NOPASSWD:ALL +root ALL=(ALL:ALL) NOPASSWD:ALL -%sudo ALL=(ALL:ALL) NOPASSWD:ALL +%sudo ALL=(root:ALL) SECURE_PATH:"..." NOPASSWD:ALL +%sudo ALL=(ALL:ALL) NOPASSWD:ALL This doubling is fugly and verbose, but might just fly for such a simple ruleset. But at work I have a couple dozen LDAP sudoRole objects, and maintaining another dozen almost identical ones will be a pain in the arse. Now, I suspect this is not sudo's fault -- that the change in sudo has just happened to expose some other misconfiguration in my system. Specifically I think that /etc/profile doesn't set $PATH anymore (it expects pam to), and PAM isn't doing so in this case for some reason. OK, fine, whatever. I don't care which component is misconfigured here, I just want to "sudo -i" to DWIM and not have to go back to "sudo su -" to get a "real" login environment. PS: sorry if I sound really grumpy above, this just bit me unexpectedly because apt-listchanges didn't warn me. $ sudo egrep -v '^(#|$)' /etc/sudoers /etc/profile /etc/environment /etc/login.defs /etc/sudoers:Defaults env_reset /etc/sudoers:Defaults secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin" /etc/sudoers:root ALL=(ALL:ALL) NOPASSWD:ALL /etc/sudoers:%sudo ALL=(ALL:ALL) NOPASSWD:ALL /etc/profile:if [ "$PS1" ]; then /etc/profile: if [ "$BASH" ]; then /etc/profile: # The file bash.bashrc already sets the default PS1. /etc/profile: # PS1='\h:\w\$ ' /etc/profile: if [ -f /etc/bash.bashrc ]; then /etc/profile: . /etc/bash.bashrc /etc/profile: fi /etc/profile: else /etc/profile: if [ "`id -u`" -eq 0 ]; then /etc/profile: PS1='# ' /etc/profile: else /etc/profile: PS1='$ ' /etc/profile: fi /etc/profile: fi /etc/profile:fi /etc/profile:umask 022 /etc/login.defs:MAIL_DIR /var/mail /etc/login.defs:FAILLOG_ENAB yes /etc/login.defs:LOG_UNKFAIL_ENAB no /etc/login.defs:LOG_OK_LOGINS no /etc/login.defs:SYSLOG_SU_ENAB yes /etc/login.defs:SYSLOG_SG_ENAB yes /etc/login.defs:FTMP_FILE /var/log/btmp /etc/login.defs:SU_NAME su /etc/login.defs:HUSHLOGIN_FILE .hushlogin /etc/login.defs:ENV_SUPATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin /etc/login.defs:ENV_PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games /etc/login.defs:TTYGROUP tty /etc/login.defs:TTYPERM 0600 /etc/login.defs:ERASECHAR 0177 /etc/login.defs:KILLCHAR 025 /etc/login.defs:UMASK 022 /etc/login.defs:PASS_MAX_DAYS 99999 /etc/login.defs:PASS_MIN_DAYS 0 /etc/login.defs:PASS_WARN_AGE 7 /etc/login.defs:UID_MIN 1000 /etc/login.defs:UID_MAX 60000 /etc/login.defs:GID_MIN 1000 /etc/login.defs:GID_MAX 60000 /etc/login.defs:LOGIN_RETRIES 5 /etc/login.defs:LOGIN_TIMEOUT 60 /etc/login.defs:CHFN_RESTRICT rwh /etc/login.defs:DEFAULT_HOME yes /etc/login.defs:USERGROUPS_ENAB yes -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores) Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages sudo depends on: ii libc6 2.13-21 ii libpam-modules 1.1.3-4 ii libpam0g 1.1.3-2 sudo recommends no packages. sudo suggests no packages. -- Configuration Files: /etc/sudoers [Errno 13] Permission denied: u'/etc/sudoers' /etc/sudoers.d/README [Errno 13] Permission denied: u'/etc/sudoers.d/README' -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org