How to run growisofs via sudo

permissionssudo

Whenever I've attempted to run growisofs via sudo I've always gotten the following error message.

$ sudo -i growisofs
:-( growisofs is being executed under sudo, aborting!
    See NOTES paragraph in growisofs manual page for further details.
$ sudo -s growisofs

:-( growisofs is being executed under sudo, aborting!
    See NOTES paragraph in growisofs manual page for further details.

Which leads me to having to do a sudo su - followed by growisofs.

$ sudo su - -c growisofs
growisofs: previous "session" device is not specified, do use -M or -Z option

-or-

$ sudo su -
# growisofs ...

Is there a alternative way I can do this without having to do the su -?

Background

This behavior is built into the tool growisofs to thwart giving access to the filesystem with elevated privileges.

excerpt

NOTES

If executed under sudo(8) growisofs refuses to start. This is done for the following reason. Naturally growisofs has to access the data set to be recorded to DVD media, either indirectly by letting mkisofs generate ISO9660 layout on-the-fly or directly if a pre-mastered image is to be recorded. Being executed under sudo(8), growisofs effectively grants sudoers read access to any file in the file system. The situation is intensified by the fact that growisofs parses MKISOFS environment variable in order to determine alternative path to mkisofs executable image. This means that being executed under sudo(8), growisofs effectively grants sudoers right to execute program of their choice with elevated privileges. If you for any reason still find the above acceptable and are willing to take the consequences, then consider running following wrapper script under sudo(8) in place for real growisofs binary.

       #!/bin/ksh
       unset SUDO_COMMAND
       export MKISOFS=/path/to/trusted/mkisofs
       exec growisofs "$@"

But note that the recommended alternative to the above "workaround" is actually to install growisofs set-root-uid, in which case it will drop privileges prior accessing data or executing mkisofs in order to preclude unauthorized access to the data.

Best Answer

What growisofs is doing here is looking for the SUDO_COMMAND environment variable, and aborting if the variable is found. The reason sudo su - works is because su - clears the environment.

Rather than having to get a full shell, you can do:

sudo env -i growisofs

This will wipe the environment, just like su -. The only difference is that su - will also put the basic variables (in /etc/profile and such) back, where as env -i wont (completely empty environment).

A more precise solution would be:

sudo env -u SUDO_COMMAND growisofs

This will preserve the environment except for SUDO_COMMAND.

Related Question