Whenever I've attempted to run growisofs
via sudo
I've always gotten the following error message.
$ sudo -i growisofs
:-( growisofs is being executed under sudo, aborting!
See NOTES paragraph in growisofs manual page for further details.
$ sudo -s growisofs
:-( growisofs is being executed under sudo, aborting!
See NOTES paragraph in growisofs manual page for further details.
Which leads me to having to do a sudo su -
followed by growisofs
.
$ sudo su - -c growisofs
growisofs: previous "session" device is not specified, do use -M or -Z option
-or-
$ sudo su -
# growisofs ...
Is there a alternative way I can do this without having to do the su -
?
Background
This behavior is built into the tool growisofs
to thwart giving access to the filesystem with elevated privileges.
excerpt
NOTES
If executed under
sudo(8)
growisofs
refuses to start. This is done for the following reason. Naturallygrowisofs
has to access the data set to be recorded to DVD media, either indirectly by lettingmkisofs
generate ISO9660 layout on-the-fly or directly if a pre-mastered image is to be recorded. Being executed undersudo(8)
,growisofs
effectively grants sudoers read access to any file in the file system. The situation is intensified by the fact that growisofs parsesMKISOFS
environment variable in order to determine alternative path to mkisofs executable image. This means that being executed undersudo(8)
, growisofs effectively grants sudoers right to execute program of their choice with elevated privileges. If you for any reason still find the above acceptable and are willing to take the consequences, then consider running following wrapper script undersudo(8)
in place for realgrowisofs
binary.#!/bin/ksh unset SUDO_COMMAND export MKISOFS=/path/to/trusted/mkisofs exec growisofs "$@"
But note that the recommended alternative to the above "workaround" is actually to install
growisofs
set-root-uid, in which case it will drop privileges prior accessing data or executingmkisofs
in order to preclude unauthorized access to the data.
Best Answer
What
growisofs
is doing here is looking for theSUDO_COMMAND
environment variable, and aborting if the variable is found. The reasonsudo su -
works is becausesu -
clears the environment.Rather than having to get a full shell, you can do:
This will wipe the environment, just like
su -
. The only difference is thatsu -
will also put the basic variables (in/etc/profile
and such) back, where asenv -i
wont (completely empty environment).A more precise solution would be:
This will preserve the environment except for
SUDO_COMMAND
.