On Wed, May 18, 2022 at 09:36:56PM -0500, Tom Browder wrote:
> I need a special path setting for root after both "sudo" and "sudo su." How
> can I set that up correctly?
Let's start by pointing out how silly the latter is. You're running TWO
different setuid programs, either one of which is capable of giving
you a root shell by itself.
If you want to use sudo to open an interactive shell as root, simply
use "sudo -s" for a normal shell, or "sudo -i" for a login shell.
So, moving on. sudo on Debian sets the PATH variable by default (because
it wasn't tainted by idiocy like su was in buster). This is controlled
by the following entry in the /etc/sudoers file:
Defaults
secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
And just to confirm:
unicorn:~$ sudo -s
unicorn:~# echo "$PATH"
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Pretty simple, right? If you want a different path from sudo, you can
simply edit that entry in the sudoers file. (Purists will tell you to
use "visudo" to do it.)
Now, what's the deal with su?
In Debian releases from 1.1 to 9, the "su" program was provided by the
"login" package, and it always changed the PATH variable. regardless of
whether you used it to get a normal shell ("su") or a login shell ("su -").
In Debian 10 and 11, the "su" program is provided by the "util-linux"
package, and comes from a completely different code base. The default
behavior of this version is NOT to set the PATH variable. So, if you
simply do "su", you get a root shell with your regular account's PATH.
A bunch of people are apparently used to this, because Red Hat has used
it for a long time. And also apparently, the workaround that the Red Hat
community has embraced is to run "su -" to get a login shell, and then
rely on the *shell* to change the PATH variable for you, based on either
/etc/profile or root's ~/.profile.
A much better workaround is to create the /etc/default/su file and put
the line
ALWAYS_SET_PATH yes
in it. This will tell "su" to change the PATH variable to something
sensible, without you needing to run "su -" to get a login shell which
changes your working directory. It's a reasonable approximation of
the traditional Debian behavior, and it can be achieved by creating
a one-line configuration file.
I strongly believe that the Debian developers should have shipped this
file with util-linux in Debian 10+, but sadly, they did not.
If you want to customize the PATH that you get from su (after putting
ALWAYS_SET_PATH in the config file), you can add another line. Here's
the relevant section of the su(1) man page from bullseye:
ENV_ROOTPATH (string)
ENV_SUPATH (string)
Defines the PATH environment variable for root. ENV_SUPATH takes
precedence. The default value is /usr/local/sbin:/usr/local/bin:
/sbin:/bin:/usr/sbin:/usr/bin.
ALWAYS_SET_PATH (boolean)
If set to yes and --login and --preserve-environment were not spec‐
ified su initializes PATH.
So, still pretty simple. You just have to read the documentation and
write the (two-line) config file yourself, since Debian didn't bother
to do it.
