SUDO_USER undefined in sudo manual – clarification would be lovely

rootsudo

The following statement appears early in the sudoers manual, it refers to the "SUDO_USER environment variable" but the manual does not define it:

If sudo is run by root and the SUDO_USER environment variable is set, the sudoers policy will use this value to determine who the actual user is. This can be used by a user to log commands through sudo even when a root shell has been invoked. It also allows the -e option to remain useful even when invoked via a sudo-run script or program. Note, however, that the sudoers lookup is still done for root, not the user specified by SUDO_USER.

This entire paragraph remains fairly elusive to me, any clarification would be appreciated. For instance, what does it mean that the sudoers policy uses the SUDO_USER environment variable to determine who the user actually is, and what does it mean that it can be used by a user to log commands?

This sentence also eludes me:

This can be used by a user to log commands through sudo even when a root shell has been invoked.

Best Answer

SUDO_USER is documented in man sudo (not sudoers):

SUDO_USER        Set to the login name of the user who invoked sudo.

That is, if you run sudo sh -c 'echo $SUDO_USER' it is a roundabout way of getting the effect of whoami.

sudo logs when a user runs (or tries to run) a command through it. You can list them with journalctl /usr/bin/sudo or something equivalent for your system. It lists the user name and command of each invocation.

If sudo is run 1) as root and 2) with SUDO_USER set, the log entry will be tagged with the SUDO_USER username, rather than as "root". This lets a (cooperating) user record the commands they ran for posterity, even though they were in an unrestricted environment. sudo always succeeds when run with root privileges (unless disabled with the root_sudo setting), since you could just run the command without it.

There are two main ways this would come up. The first is the obvious sudo bash or equivalent and a desire to record things. The other use case is for scripts, which can log the actual actions they took on behalf of users. It's an informative behaviour, not a security issue.

sudo -e is used for editing files and uses a different set of security policies, also documented in man sudo and somewhat safer editing behaviours. People sometimes use it when logged in as root for those features, and it has the same interaction with SUDO_USER as above.

Best Answer

Related Solutions

Bash – How to prevent the caller’s shell from being used in sudo

Related Question