[Leaplist] sudo vs su

Kevin Korb kmk at sanitarium.net
Mon Jun 8 23:29:57 EDT 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have a similar issue but dealt with it a different way...

I too use tcsh and prefer to have my shell settings when root.  However
since I am the only tcsh user at my company nobody minds me putting my
.tcshrc into /root as long as I don't change root's shell.

So, my solution was to cause su to run tcsh instead of bash with this in
my user level .tcshrc:
# determine root's shell so su can run my shell.
if ($user != "root") then
  set RootShell=`grep ^root: /etc/passwd | awk -F/ '{print $NF}'`
  if ($RootShell != "tcsh") then
    set Su=`which su`
    set Tcsh=`which tcsh`
    if ( -e /usr/bin/emerge ) then
      # we are on Gentoo with its screwy su.
      alias su "$Su -c $Tcsh"
    else
      # we are on something other than Gentoo
      alias su "$Su -s $Tcsh"
    endif
  endif
endif

If I log into root directly and get bash I just run 'exec tcsh' before I
do anything else.

John Simpson wrote:
> On 2009-06-01, at 1101, Richard F. Ostrow Jr. wrote:
>>
>> su - input not logged, difficult to backtrace what was done in the event
>> of a catastrophic screwup (rm -rf /)
>>
>> sudo - can easily track what was done. Everything put into sudo goes into
>> /var/log/{hostname}/messages of the remote logging system. An 'rm -rf /'
>> would be logged on the remote machine, and I would know *exactly* who was
>> stupid enough to do such a thing, and can make them clean up the mess.
>>
>> I wonder which one is better from an SA standpoint?
> 
> my job involves administering about 100 linux machines. here's one thing
> i personally like about "sudo"...
> 
> my non-root account uses tcsh, with a customized set of aliases and a
> visually distinctive prompt (so i can tell where the commands are when
> scrolling back up in a window.) even if root uses an un-modified bash
> with the boring "[hostname] #" prompt, if i log into my own account and
> do "sudo -s", it makes me root, running tcsh, using the .tcshrc from my
> non-root user's home directory, which gives me all of my aliases and the
> special prompt, only running as root. this is because "sudo" doesn't
> re-write the HOME and/or SHELL variables.
> 
> the one problem with this is that, when i do this, the HOME variable
> points to my non-root user's home directory. which is fine when tcsh
> starts and is looking for a .tcshrc file, but it's a bit confusing when
> you start entering commands. so my .tcshrc file has the following...
> 
> setenv OLDHOME $HOME
> if ( $LOGNAME == "root" ) then
>     set path=( /usr/bin /bin )
>     set newhome=`grep ^root: /etc/passwd | cut -d: -f6`
>     if ( $newhome != "" ) then
>         setenv HOME $newhome
>     endif
> endif
> 
> ... so that AFTER it's already reading the .tcshrc file from my non-root
> home directory, the shell has a HOME variable which points to root's
> home directory, as you would normally expect.
> 
> ----------------------------------------------------------------
> | John M. Simpson    ---   KG4ZOW   ---    Programmer At Large |
> | http://www.jms1.net/                         <jms1 at jms1.net> |
> ----------------------------------------------------------------
> | http://video.google.com/videoplay?docid=-1656880303867390173 |
> ----------------------------------------------------------------
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Leaplist mailing list
> Leaplist at leap-cf.org
> http://lists.leap-cf.org/mailman/listinfo/leaplist

- --
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
	Kevin Korb			Phone:    (407) 252-6853
	Systems Administrator		Internet:
	FutureQuest, Inc.		Kevin at FutureQuest.net  (work)
	Orlando, Florida		kmk at sanitarium.net (personal)
	Web page:			http://www.sanitarium.net/
	PGP public key available on web site.
~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~'`^`'~*-,._.,-*~
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.11 (GNU/Linux)

iEYEARECAAYFAkot1zUACgkQVKC1jlbQAQcaJwCg1iFRmpMx9gY/8WPksSzYuOi8
dS4AoLne4q8axBBC9dl1nck15HB++2Tr
=X9GL
-----END PGP SIGNATURE-----

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the Leaplist mailing list