5

A while ago I was installing NPM and I noticed that when I tried to run their install shell script using sudo it threw errors regarding some commands not being found. However when trying to run the same script without sudo everything worked like a charm.

I'm a new linux user, but from my understanding, sudo's permissions and visilibity are a superset of the normal user.

Why does it happen?

4 Answers4

9

From my understanding, sudo's permissions and visilibity are a superset of the normal user.

Permissions, yes, but not necessarily visibility. Visibility of applications is governed by the PATH environmental variable

~$ printenv PATH
/home/vanadium/.local/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/usr/games

When a command is typed, the command interpreter first checks whether it is an internal command, or whether the command corresponds with the name of an executable file on the disk. The system then searches the directories listed in PATH until an executable file is found with a name matching the command.

As you see in the example, a user can have additional private directories in the PATH, searched only when this user is issuing the command. Thus, yes, a user account can have different commands available than the root user, i.e., the administrator, the role assumed when you use the sudo command.

Still, the permissions of an executable ultimately determine who can run the file. Provided the permissions allow it, an executable can always be run by providing the full path name on the prompt, e.g. /usr/bin/mount instead of just the file name, mount. And indeed, root can always execute as long as the executable bit is set, even if so only for the owner.

vanadium
  • 88,010
3

Let's say you want to run a file in your directory scripts. you would run:

myscript.sh

and the script runs fine. But after you run sudo this is the error you get is this:

sudo: myscript.sh: file not found

Whenever sudo is used it uses the root user's path. The solution to that would be to run the command this way:

sudo ./myscript.sh
amalloy
  • 103
2

The shell (bash etc.) uses different variables in regular user and sudo mode. Simply verify this by following the procedure:

# Plain user
printenv > env1
# Using sudo
sudo printenv > env2
# Comparison
diff env1 env2
# Alternative comparison using the GUI tool meld
meld env1 env2

If meld is not installed, you can easy install it. It's very useful.

sudo apt-get update
sudo apt-get install meld

Different content of variables of plain user / sudo can influence shell behavior and script functionality.

File access permissions are also different.

netbat
  • 1,044
  • 3
  • 12
0

Actually, it's a bit more complicated than that. There are a couple of definitions that need to exist in /etc/sudoers.

The controlling flags that determine what happens with the sudo environment are: env_check, env_keep, and env_reset.

The man page for sudoers does a good job of explaining this in the "Command environment" section:

$ man --pager="less -p '^\ *Command environment'" sudoers

In an out-of-the-box Ubuntu configuration, the flag that is defined for PATH is called secure_path (enabled by default). The value is used in place of the user PATH to launch sudo because env_reset is also enabled by default:

$ man sudoers | egrep "^\ *secure_path" -A4 | sed 's/^ *//'

secure_path   If set, sudo will use this value in place of the user's PATH environment variable. This option can be used to reset the PATH to a known good
value that contains directories for system administrator commands such as /usr/sbin.

Users in the group specified by the exempt_group option are not affected by secure_path. This option is not set by default.

(Edit: The last line above is referring to the exempt_group not being enabled by default, not the secure_path)

You can modify it using visudo (recommended) or display it:

$ sudo grep secure_path /etc/sudoers
Defaults        secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

Other times the commands are builtin to bash (like echo) and are not an executable that you can reference in a PATH variable. These are the times you have to pipe some value into a sudo bash -c or other ways.

CG3
  • 306