Summary

For security reasons it is good practice to reduce the use of "suexec su -" as much as possible since this opens up a full root shell to the user. Instead it is better to use "suexec -u root ".

Running the above command may result in incorrect environment variables for the destination account or "to user" (in this case root) needed to run the commands. Specifically, the PATH variable may get an unexpected value.

Reference Information

To try to correct this problem you may add the modifier "suexec_touserenv" to the Access Route which you would expect to solve the problem from the description in the BoKS Manager Administration Guide:

"Programs that you run via suexec are by default run in the environment belonging to the fromuser. Restricting users to the fromuser environment ensures that a high level of security can be maintained. However, sometimes it can be useful to be able to run programs via suexec in the touser’s environment: For example, when you want to administrate a database server via a dedicated functional account. The user can then run suexec to fully utilize the touser environment and perform the required administrative tasks."


You can configure the use of a "to user" environment in FoxT Control Center by checking the Execute in ‘To user’ environment checkbox while adding an Access Route. On the command line it this done by adding "-m suexec_touserenv" to the Access Route definition when running routeadm or ttyadmin (see the man pages for these commands for exact syntax and examples).

What the "suexec_touserenv" modifier does is to run the selected command using the "to user"'s login shell. This executes any shell start-up files in the "to user" home directory as well as global shell startup files.

It is possible to set these up to get the PATH set up correctly:

BoKS # grep PATH /etc/profile
PATH=$PATH:/some/dir

$ /opt/boksm/bin/suexec -u root /bin/env | grep PATH
PATH=/bin:/usr/bin:/etc:/usr/etc:/some/dir

Another option is to use the ENV settings "SUEXEC_PATH" to set the PATH when running commands as another user or "SUEXEC_PATH_" to set it when running commands as .

For example:

BoKS # grep SUEXEC_PATH_root $BOKS_etc/ENV

SUEXEC_PATH_root=/usr/bin:/usr/sbin:/etc:/usr/ucb:/usr/bin/X11:/sbin:/usr/local/bin:/usr/java5/jre/bin:/usr/java5/bin


Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: August 28, 2019