If you use double-quotes when creating an Access Route that contains the variable $USER, the shell interpretation of quoted string will cause an unintended, and potentially dangerous, route to be generated.

For example, running the following command:

ttyadmin -a -l MY_HOSTGROUP:testuser -z "SUEXEC:$USER@*->root@MY_HOSTGROUP%/usr/bin/touch /tmp/testfile" -w 1234567

Would result in the following route:

SUEXEC:root@*->root@MY_HOSTGROUP%/usr/bin/touch /tmp/testfile 00:00-24:00, 1234567

Notice the change in the "from user"... the command should have resulted in a route with $USER@*->root, but this was changed to root@*->root, which will not match the "from user" and will result in a No Terminal Authorization error.

The reason this happens is that with double-quotes, the variable $USER is evaluated by the shell. Since, in most cases, BoKS commands are executed as root, $USER gets set to the root user.

Resolution / Workaround

Rewrite the rule using single quotes (') rather than double-quotes (") and the route will be created correctly. For example:

ttyadmin -a -l MY_HOSTGROUP:testuser -z 'SUEXEC:$USER@*->root@MY_HOSTGROUP%/usr/bin/touch /tmp/testfile' -w 1234567

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: May 25, 2018