For security reasons it is good practice to reduce the use of "suexec su -" as much as possible since this opens up a full root shell to the user. Instead it is better to use "suexec -u root
Running the above command may result in incorrect environment variables for the destination account or "to user" (in this case root) needed to run the commands. Specifically, the PATH variable may get an unexpected value.
To try to correct this problem you may add the modifier "suexec_touserenv" to the Access Route which you would expect to solve the problem from the description in the BoKS Manager Administration Guide:
"Programs that you run via suexec are by default run in the environment belonging to the fromuser. Restricting users to the fromuser environment ensures that a high level of security can be maintained. However, sometimes it can be useful to be able to run programs via suexec in the touser’s environment: For example, when you want to administrate a database server via a dedicated functional account. The user can then run suexec to fully utilize the touser environment and perform the required administrative tasks."
You can configure the use of a "to user" environment in FoxT Control Center by checking the Execute in ‘To user’ environment checkbox while adding an Access Route. On the command line it this done by adding "-m suexec_touserenv" to the Access Route definition when running routeadm or ttyadmin (see the man pages for these commands for exact syntax and examples).
What the "suexec_touserenv" modifier does is to run the selected command using the "to user"'s login shell. This executes any shell start-up files in the "to user" home directory as well as global shell startup files.
It is possible to set these up to get the PATH set up correctly:
BoKS # grep PATH /etc/profile
$ /opt/boksm/bin/suexec -u root /bin/env | grep PATH
Another option is to use the ENV settings "SUEXEC_PATH" to set the PATH when running commands as another user or "SUEXEC_PATH_
BoKS # grep SUEXEC_PATH_root $BOKS_etc/ENV
Still have questions? We can help. Submit a case to Technical Support.