Using the bash shell: determine if the root user used 'sudo -i'

[Tom Browder]

In a previous thread it was shown how to detect a SUDO_USER in a bash shell.

Is there a way to distinguish whether 'sudo -i' was used or not?

Thanks.

-Tom

[Roberto C. Sánchez]

The SUDO_COMMAND environment variable would report /bin/bash in that
instance. Would that be sufficient for your needs?

If not, then what exactly are you trying to accomplish? Please don't say
"I want to know if sudo -i was used" because we already know that. Why
is that a necessary piece of information in your use case? What will you
do with that information? What decision will you make? What action will
you take?

Regards,

-Roberto

--
Roberto C. Sánchez

[Alain D D Williams]

On Sat, Aug 26, 2023 at 09:25:10AM -0500, Tom Browder wrote:

> In a previous thread it was shown how to detect a SUDO_USER in a bash shell.
>
> Is there a way to distinguish whether 'sudo -i' was used or not?

I have not tested this but if bash was interactive you will find a
.bash_history file in their $HOME.

That assumes that they have not logged in - ie only ever sudo.

> Thanks.
>
> -Tom

--
Alain Williams
Linux/GNU Consultant - Mail systems, Web sites, Networking, Programmer, IT Lecturer.
+44 (0) 787 668 0256 https://www.phcomp.co.uk/
Parliament Hill Computers. Registration Information: https://www.phcomp.co.uk/Contact.html
#include <std_disclaimer.h>

[to...@tuxteam.de]

On Sat, Aug 26, 2023 at 04:45:54PM +0200, DdB wrote:

> Am 26.08.2023 um 16:25 schrieb Tom Browder:
> > Is there a way to distinguish whether 'sudo -i' was used or not?
> >

> Sorry, i am not an expert on this. But ... since years i am using this
> to check for it:
>
> > # if `echo $HOME` is not "/root" or the working dir (pwd) is not "/root", then this was not executed with "sudo -i"
> > assert "echo $HOME" /root "nicht mit sudo -i aufgerufen"
> > assert pwd /root "nicht mit sudo -i aufgerufen"
>
> hope, this will give you a clue ;-)
> DdB

Unless, of course, the shell does "export HOME=/root" at some point
after start. Or one of the other fifty-two ways to achieve that.

That's why I think Roberto is right elsewhere in this thread.

Basically it is not possible to find out, so it makes sense to
think about the question "why do I need this?" to zoom into what
the real problem is. Perhaps that one can be solved :-)

Cheers
--
t

[Greg Wooledge]

On Sat, Aug 26, 2023 at 10:49:45AM -0500, Tom Browder wrote:
> I would like to know whether 'sudo -i' or 'sudo -s' was used.

That's STILL an X-Y problem.

> The reason is
> to know if the cwd is set to '/root' or '.' It's critical for the script
> execution

Oh? Then just look at the current working directory. It's in the $PWD
variable.

You don't actually need to know what was typed.

In fact, I suspect "I need to know if the cwd is /root" is STILL an X-Y
problem. It's sounding like "I need to ensure my script's working
directory is /foo". If that's truly the case, just do "cd /foo || exit"
at the top of the script.

[Tom Browder]

On Sat, Aug 26, 2023 at 09:32 Roberto C. Sánchez <rob...@debian.org> wrote:

On Sat, Aug 26, 2023 at 09:25:10AM -0500, Tom Browder wrote:
>    In a previous thread it was shown how to detect a SUDO_USER in a bash
>    shell.
>    Is there a way to distinguish whether 'sudo -i' was used or not?

I would like to know whether 'sudo -i' or 'sudo -s' was used. The reason is to know if the cwd is set to '/root' or '.' It's critical for the script execution

-Tom

[Tom Browder]

On Sat, Aug 26, 2023 at 10:57 Greg Wooledge <gr...@wooledge.org> wrote:

On Sat, Aug 26, 2023 at 10:49:45AM -0500, Tom Browder wrote:
> I would like to know whether 'sudo -i' or 'sudo -s' was used.

...

In fact, I suspect "I need to know if the cwd is /root" is STILL an X-Y
problem.  It's sounding like "I need to ensure my script's working
directory is /foo".  If that's truly the case, just do "cd /foo || exit"
at the top of the script.

...

Excellent mind-reading, Greg! So to use your line I will put in that dir:

    "cd /required-dir || exit"

Thanks so much.

And thanks to all others who responded.

-Tom

[Michael Kjörling]

On 26 Aug 2023 11:56 -0400, from gr...@wooledge.org (Greg Wooledge):

> You don't actually need to know what was typed.

And even being able to answer the question "how was sudo executed"
doesn't solve the problem of ensuring that the script is executing
within a particular directory. All it takes is the user cd'ing to a
different directory before running the script.

> In fact, I suspect "I need to know if the cwd is /root" is STILL an X-Y
> problem.

Agreed.

Also, a few things worth noting:

* The current working directory will ALWAYS be ".". That's what "." at
the beginning of a relative path _means_. So testing the current
working directory against the actual path corresponding to "." will
always return a truthy result.

* The home directory of the root user won't necessarily be /root. By
convention it often is, but there's no guarantee that this is the
case.

* There can be multiple users with the same numerical user ID
(including 0), with different user names and home directories but
access to the same files. The BSDs do this often; Linux systems more
rarely so, but it's absolutely possible.

And that's just what I can think of off the top of my head.

--
Michael Kjörling 🔗 https://michael.kjorling.se
“Remember when, on the Internet, nobody cared that you were a dog?”

[to...@tuxteam.de]

On Sat, Aug 26, 2023 at 11:56:27AM -0400, Greg Wooledge wrote:
> On Sat, Aug 26, 2023 at 10:49:45AM -0500, Tom Browder wrote:
> > I would like to know whether 'sudo -i' or 'sudo -s' was used.
>
> That's STILL an X-Y problem.
>
> > The reason is
> > to know if the cwd is set to '/root' or '.' It's critical for the script
> > execution
>
> Oh? Then just look at the current working directory. It's in the $PWD
> variable.

I guess it's better use the shell builtin pwd:

PWD=/not/such/file/or/directory
echo "cwd=" $(pwd) "PWD=" $PWD

(Note: your shell prompt might be a bit... messed up after
that)

> You don't actually need to know what was typed.

Yep, that was my hunch, too.

Cheers
--
t

[Nate Bargmann]

* On 2023 26 Aug 11:10 -0500, Tom Browder wrote:
> On Sat, Aug 26, 2023 at 10:57 Greg Wooledge <gr...@wooledge.org> wrote:
>
> > On Sat, Aug 26, 2023 at 10:49:45AM -0500, Tom Browder wrote:
> > > I would like to know whether 'sudo -i' or 'sudo -s' was used.
>
> ...
>
> > In fact, I suspect "I need to know if the cwd is /root" is STILL an X-Y
> > problem. It's sounding like "I need to ensure my script's working
> > directory is /foo". If that's truly the case, just do "cd /foo || exit"
> > at the top of the script.
>
> ...
>
> Excellent mind-reading, Greg! So to use your line I will put in that dir:
>
> "cd /required-dir || exit"

In such cases I prefer specifying the complete paths in the script so as
not to get lost. If the script needs to work in a specific directory of
root I'll put:

cd /root/dir/dir1

or something like:

cd /home/username/dir

and so on (adding whatever error recovery is needed).

If I need to source a file I just type in the complete path name. It's
a one time bother and the executing shell doesn't care and as the script
gets more complex it's much easier to keep one's bearings on where the
script is working at various points.

As I see it, relative paths are more for interactive shell use.

- Nate

--
"The optimist proclaims that we live in the best of all
possible worlds. The pessimist fears this is true."
Web: https://www.n0nb.us
Projects: https://github.com/N0NB
GPG fingerprint: 82D6 4F6B 0E67 CD41 F689 BBA6 FB2C 5130 D55A 8819

[Tom Browder]

As I think I replied earier, I am now checking the script is in the required directory in order to be executed (by the root user). I am not concerned with any other caveats or use by any unauthorized users for any nefarious purpose.

I consider this thread completed.

Thanks to all who responded--Debian users are the best!

-Tom

[to...@tuxteam.de]

On Sat, Aug 26, 2023 at 01:54:41PM -0500, Tom Browder wrote:
> On Sat, Aug 26, 2023 at 10:42 <to...@tuxteam.de> wrote:

[...]

> > Basically it is not possible to find out [...]

> As I think I replied earier, I am now checking the script is in the

> required directory in order to be executed (by the root user) [...]

Yes, it seems our posts crossed.

Anyway, glad you found a solution.

Cheers
--
t

[Karl Vogel]

On Sat, Aug 26, 2023 at 12:09:57PM -0400, Tom Browder wrote:
> Excellent mind-reading, Greg! So to use your line I will put in that dir:
> "cd /required-dir || exit"
>
> Thanks so much. And thanks to all others who responded.

If you're running bash, the safest way to find your current working
directory is capturing the output from /bin/pwd. Symlinked directories
can surprise you:

me$ cd

me$ ls -ldF today
lrwxr-xr-x 1 me mis 18 Aug 26 00:03 today@ -> notebook/2023/0826

me$ cd today

me$ pwd
/home/me/today

me$ /bin/pwd
/home/me/notebook/2023/0826

me$ echo $PWD
/home/me/today

If you want to know why you had an early exit:

me$ cat try
#!/usr/bin/env bash
# try: test logging.

export PATH=/usr/local/bin:/bin:/usr/bin
set -o nounset # check for unbound variables.
tag=${0##*/}
umask 022

# Test file descriptor 2 for interactive or cron use.
test -t 2
case "$?" in
0) logmsg () { echo "$(date '+%F %T') $tag: $@"; } ;;
*) logmsg () { logger -t $tag "$@"; } ;;
esac

warn () { logmsg "WARN: $@" ; }
die () { logmsg "FATAL: $@"; exit 1 ; }

# Real work starts here.
case "$#" in
0) die "need a directory" ;;
*) dir="$1" ;;
esac

test -d "$dir" || die "$dir: not a directory"
cd "$dir" || die "$dir: cannot cd"
cwd=$(/bin/pwd)

logmsg "start working in $cwd"
exit 0

On FreeBSD, you can use "daemon" to run something detached from the
controlling terminal, which simulates running a cron job:

me$ ls -ldF /etc /var/authpf
drwxr-xr-x 27 root wheel 120 26-Aug-2023 07:55:02 /etc/
drwxrwx--- 2 root authpf 2 05-Jul-2019 00:45:45 /var/authpf/

me$ ./try /etc
2023-08-26 18:31:54 try: start working in /etc

me$ daemon -f $PWD/try /etc
me$ daemon -f $PWD/try /var/authpf

me$ tail -2 /var/log/syslog
Aug 26 18:19:17 myhost try: start working in /etc
Aug 26 18:19:19 myhost try: FATAL: /var/authpf: cannot cd

Hope this helps.

--
Karl Vogel I don't speak for anyone but myself.

Oh, my darlin' had bronchitis and she barfed up half a lung,
what came up looked quite amazing when she rolled it on her tongue.
--sung to the tune of "My Darling Clementine"

[Greg Wooledge]

On Sat, Aug 26, 2023 at 06:42:42PM -0400, Karl Vogel wrote:
> If you're running bash, the safest way to find your current working
> directory is capturing the output from /bin/pwd. Symlinked directories
> can surprise you:
>
> me$ cd
>
> me$ ls -ldF today
> lrwxr-xr-x 1 me mis 18 Aug 26 00:03 today@ -> notebook/2023/0826
>
> me$ cd today
>
> me$ pwd
> /home/me/today
>
> me$ /bin/pwd
> /home/me/notebook/2023/0826
>
> me$ echo $PWD
> /home/me/today

unicorn:~$ help pwd
pwd: pwd [-LP]
Print the name of the current working directory.

Options:
-L print the value of $PWD if it names the current working
directory
-P print the physical directory, without any symbolic links

By default, `pwd' behaves as if `-L' were specified.
[...]

Of course, this is all a big tangent from the original request.