The following statement appears early in the sudoers manual, it refers to the "SUDO_USER environment variable" but the manual does not define it:
If sudo is run by root and the SUDO_USER environment variable is set, the sudoers policy will use this value to determine who the actual user is. This can be used by a user to log commands through sudo even when a root shell has been invoked. It also allows the -e option to remain useful even when invoked via a sudo-run script or program. Note, however, that the sudoers lookup is still done for root, not the user specified by SUDO_USER.
This entire paragraph remains fairly elusive to me, any clarification would be appreciated. For instance, what does it mean that the sudoers policy uses the SUDO_USER environment variable to determine who the user actually is, and what does it mean that it can be used by a user to log commands?
This sentence also eludes me:
This can be used by a user to log commands through sudo even when a root shell has been invoked.
Best Answer
SUDO_USER
is documented inman sudo
(notsudoers
):That is, if you run
sudo sh -c 'echo $SUDO_USER'
it is a roundabout way of getting the effect ofwhoami
.sudo
logs when a user runs (or tries to run) a command through it. You can list them withjournalctl /usr/bin/sudo
or something equivalent for your system. It lists the user name and command of each invocation.If
sudo
is run 1) as root and 2) withSUDO_USER
set, the log entry will be tagged with theSUDO_USER
username, rather than as "root". This lets a (cooperating) user record the commands they ran for posterity, even though they were in an unrestricted environment.sudo
always succeeds when run with root privileges (unless disabled with theroot_sudo
setting), since you could just run the command without it.There are two main ways this would come up. The first is the obvious
sudo bash
or equivalent and a desire to record things. The other use case is for scripts, which can log the actual actions they took on behalf of users. It's an informative behaviour, not a security issue.sudo -e
is used for editing files and uses a different set of security policies, also documented inman sudo
and somewhat safer editing behaviours. People sometimes use it when logged in as root for those features, and it has the same interaction withSUDO_USER
as above.