MX Linux Forum

Posted: **Sun Nov 10, 2024 12:33 pm**

I am trying to run a script, who's path is within subdirectories in the user's home, and is listed in the env, and works perfectly when run by the user from any directory without specifying its path, but only works with sudo when using the absolute path. In that case it works perfectly also.

I can confirm that the PATH is being inherited correctly by sudo, and it does include the /home/q/Desktop/Scripts/ directory where the script is located. So, the issue doesn't seem to be related to the PATH or the environment variables.

However, since the "sudo which filename" command doesn't find the script even though it's in the sudo PATH, this suggests that the problem is likely related to how sudo resolves the file or possibly an issue with how the script is being executed in the root environment.

To summarize the key points:
1. The script works with sudo when run directly from its directory, and the issue occurs when running it from anywhere else using sudo.
2. The PATH is correct: I can see that /home/q/Desktop/Scripts/ is in the PATH both for the user and when using sudo.
3. The script is executable (chmod +x is set properly).
4. "sudo" won't find and run scripts except directly from the absoulte path even though it sees the same env variable as the user.
5. "which" doesn't find the script when run with sudo, even though the PATH is correct.
6. The user can use the script from anywhere with "bash filename".
7. The script performs a complete backup of the user's home, however some files will not be backed up unless using "sudo".

Not much point in having env variables if sudo can''t use them!! By the way, ChatGPT4.0 was completely useless for this issue. I think it seems to be getting dumber every day!

I ALWAYS forget this:

Code: Select all

System:
  Kernel: 6.9.9-1-liquorix-amd64 [6.9-8~mx23ahs] arch: x86_64 bits: 64 compiler: gcc v: 12.2.0 parameters: audit=0
    intel_pstate=disable BOOT_IMAGE=/boot/vmlinuz-6.9.9-1-liquorix-amd64 root=UUID=<filter> ro
    quiet splash
  Desktop: Xfce v: 4.18.1 tk: Gtk v: 3.24.36 info: xfce4-panel wm: xfwm v: 4.18.0 vt: 7
    dm: LightDM v: 1.26.0 Distro: MX-23.4_ahs_x64 Libretto January 21  2024 base: Debian GNU/Linux
    12 (bookworm)
Machine:
  Type: Desktop System: Gigabyte product: Z390 AORUS PRO WIFI v: N/A serial: <superuser required>
  Mobo: Gigabyte model: Z390 AORUS PRO WIFI-CF serial: <superuser required>
    UEFI: American Megatrends v: F12 date: 11/05/2021
Battery:
  Device-1: hidpp_battery_0 model: Logitech M720 Triathlon Multi-Device Mouse serial: <filter>
    charge: 10% (should be ignored) rechargeable: yes status: discharging
CPU:
  Info: model: Intel Core i5-9600K bits: 64 type: MCP arch: Coffee Lake gen: core 9 level: v3
    note: check built: 2018 process: Intel 14nm family: 6 model-id: 0x9E (158) stepping: 0xD (13)
    microcode: 0x100
  Topology: cpus: 1x cores: 6 smt: <unsupported> cache: L1: 384 KiB desc: d-6x32 KiB; i-6x32 KiB
    L2: 1.5 MiB desc: 6x256 KiB L3: 9 MiB desc: 1x9 MiB
  Speed (MHz): avg: 2600 high: 4400 min/max: 800/3701 boost: enabled scaling:
    driver: acpi-cpufreq governor: ondemand cores: 1: 4400 2: 4400 3: 4400 4: 800 5: 800 6: 800
    bogomips: 44398
  Flags: avx avx2 ht lm nx pae sse sse2 sse3 sse4_1 sse4_2 ssse3 vmx
  Vulnerabilities:
  Type: gather_data_sampling mitigation: Microcode
  Type: itlb_multihit status: KVM: VMX disabled
  Type: l1tf status: Not affected
  Type: mds status: Not affected
  Type: meltdown status: Not affected
  Type: mmio_stale_data mitigation: Clear CPU buffers; SMT disabled
  Type: reg_file_data_sampling status: Not affected
  Type: retbleed mitigation: Enhanced IBRS
  Type: spec_rstack_overflow status: Not affected
  Type: spec_store_bypass mitigation: Speculative Store Bypass disabled via prctl
  Type: spectre_v1 mitigation: usercopy/swapgs barriers and __user pointer sanitization
  Type: spectre_v2 mitigation: Enhanced / Automatic IBRS; IBPB: conditional; RSB filling;
    PBRSB-eIBRS: SW sequence; BHI: SW loop, KVM: SW loop
  Type: srbds mitigation: Microcode
  Type: tsx_async_abort mitigation: TSX disabled
Graphics:
  Device-1: NVIDIA TU106 [GeForce RTX 2060 SUPER] vendor: Micro-Star MSI driver: nouveau v: kernel
    non-free: 530.xx+ status: current (as of 2023-03) arch: Turing code: TUxxx process: TSMC 12nm FF
    built: 2018-22 pcie: gen: 1 speed: 2.5 GT/s lanes: 16 link-max: gen: 3 speed: 8 GT/s ports:
    active: HDMI-A-1 empty: DP-1,DP-2,DP-3 bus-ID: 01:00.0 chip-ID: 10de:1f06 class-ID: 0300
  Display: x11 server: X.Org v: 1.21.1.7 compositor: xfwm v: 4.18.0 driver: X:
    loaded: modesetting unloaded: fbdev,vesa dri: nouveau gpu: nouveau display-ID: :0.0 screens: 1
  Screen-1: 0 s-res: 1920x1080 s-dpi: 96 s-size: 508x285mm (20.00x11.22") s-diag: 582mm (22.93")
  Monitor-1: HDMI-A-1 mapped: HDMI-1 model: Samsung serial: <filter> built: 2014 res: 1920x1080
    hz: 60 dpi: 40 gamma: 1.2 size: 1209x680mm (47.6x26.77") diag: 801mm (31.5") ratio: 16:9 modes:
    max: 1920x1080 min: 720x400
  API: OpenGL v: 4.3 Mesa 24.2.2-1~mx23ahs renderer: NV166 direct-render: Yes
Audio:
  Device-1: Intel Cannon Lake PCH cAVS vendor: Gigabyte driver: snd_hda_intel v: kernel
    alternate: snd_soc_avs,snd_sof_pci_intel_cnl bus-ID: 00:1f.3 chip-ID: 8086:a348 class-ID: 0403
  Device-2: NVIDIA TU106 High Definition Audio vendor: Micro-Star MSI driver: snd_hda_intel
    v: kernel pcie: gen: 1 speed: 2.5 GT/s lanes: 16 link-max: gen: 3 speed: 8 GT/s bus-ID: 01:00.1
    chip-ID: 10de:10f9 class-ID: 0403
  API: ALSA v: k6.9.9-1-liquorix-amd64 status: kernel-api tools: alsamixer,amixer
  Server-1: PipeWire v: 1.0.0 status: active with: 1: pipewire-pulse status: active
    2: wireplumber status: active 3: pipewire-alsa type: plugin 4: pw-jack type: plugin
    tools: pactl,pw-cat,pw-cli,wpctl
Network:
  Device-1: Intel Ethernet I219-V vendor: Gigabyte driver: e1000e v: kernel port: N/A
    bus-ID: 00:1f.6 chip-ID: 8086:15bc class-ID: 0200
  IF: eth0 state: up speed: 1000 Mbps duplex: full mac: <filter>
  IF-ID-1: nordlynx state: unknown speed: N/A duplex: N/A mac: N/A
Bluetooth:
  Device-1: Broadcom BCM20702A0 Bluetooth 4.0 type: USB driver: btusb v: 0.8 bus-ID: 1-11.1:4
    chip-ID: 0a5c:21e8 class-ID: fe01 serial: <filter>
  Report: hciconfig ID: hci0 rfk-id: 0 state: up address: <filter> bt-v: 2.1 lmp-v: 4.0
    sub-v: 220e hci-v: 4.0 rev: 1000
  Info: acl-mtu: 1021:8 sco-mtu: 64:1 link-policy: rswitch sniff link-mode: peripheral accept
    service-classes: rendering, capturing, audio, telephony
RAID:
  Hardware-1: Intel SATA Controller [RAID mode] driver: ahci v: 3.0 port: 5020 bus-ID: 00:17.0
    chip-ID: 8086:2822 rev: N/A class-ID: 0104
Drives:
  Local Storage: total: 9.12 TiB used: 2.61 TiB (28.6%)
  SMART Message: Unable to run smartctl. Root privileges required.
  ID-1: /dev/nvme0n1 maj-min: 259:0 vendor: A-Data model: SX8200PNP size: 953.87 GiB block-size:
    physical: 512 B logical: 512 B speed: 31.6 Gb/s lanes: 4 type: SSD serial: <filter> rev: 42AZS6AC
    temp: 35.9 C scheme: GPT
  ID-2: /dev/sda maj-min: 8:0 vendor: Western Digital model: WD4002FYYZ-01B7CB0 size: 3.64 TiB
    block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s type: HDD rpm: 7200 serial: <filter>
    rev: 1M02 scheme: GPT
  ID-3: /dev/sdb maj-min: 8:16 vendor: Western Digital model: WD40EZRZ-00GXCB0 size: 3.64 TiB
    block-size: physical: 4096 B logical: 512 B speed: 6.0 Gb/s type: HDD rpm: 5400 serial: <filter>
    rev: 0A80 scheme: GPT
  ID-4: /dev/sdc maj-min: 8:32 vendor: Samsung model: SSD 860 QVO 1TB size: 931.51 GiB
    block-size: physical: 512 B logical: 512 B speed: 6.0 Gb/s type: SSD serial: <filter> rev: 1B6Q
    scheme: MBR
Partition:
  ID-1: / raw-size: 953.53 GiB size: 937.49 GiB (98.32%) used: 25.72 GiB (2.7%) fs: ext4
    dev: /dev/nvme0n1p1 maj-min: 259:1
  ID-2: /boot/efi raw-size: 345 MiB size: 344.3 MiB (99.80%) used: 288 KiB (0.1%) fs: vfat
    dev: /dev/nvme0n1p2 maj-min: 259:2
  ID-3: /home raw-size: 3.64 TiB size: 3.58 TiB (98.43%) used: 580.25 GiB (15.8%) fs: ext4
    dev: /dev/sda1 maj-min: 8:1
Swap:
  Kernel: swappiness: 15 (default 60) cache-pressure: 100 (default)
  ID-1: swap-1 type: file size: 8 GiB used: 0 KiB (0.0%) priority: -2 file: /swap
Sensors:
  System Temperatures: cpu: 43.2 C pch: 50.0 C mobo: N/A
  Fan Speeds (RPM): N/A
Repos:
  Packages: pm: dpkg pkgs: 2992 libs: 1650 tools: apt,apt-get,aptitude,nala,synaptic pm: rpm
    pkgs: 0
  No active apt repos in: /etc/apt/sources.list
  No active apt repos in: /etc/apt/sources.list.d/contrib.list
  Active apt repos in: /etc/apt/sources.list.d/cuda-debian12-x86_64.list
    1: deb [signed-by=/usr/share/keyrings/cuda-archive-keyring.gpg] https://developer.download.nvidia.com/compute/cuda/repos/debian12/x86_64/ /
  Active apt repos in: /etc/apt/sources.list.d/debian-stable-updates.list
    1: deb http://deb.debian.org/debian/ bookworm-updates main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/debian.list
    1: deb http://deb.debian.org/debian/ bookworm main contrib non-free non-free-firmware
    2: deb http://security.debian.org/debian-security/ bookworm-security main contrib non-free non-free-firmware
  Active apt repos in: /etc/apt/sources.list.d/mx.list
    1: deb https://mxrepo.com/mx/repo/ bookworm main non-free
    2: deb https://mxrepo.com/mx/testrepo/ bookworm test
    3: deb https://mxrepo.com/mx/repo/ bookworm ahs
  Active apt repos in: /etc/apt/sources.list.d/nordvpn.list
    1: deb https://repo.nordvpn.com//deb/nordvpn/debian/ stable main
Info:
  Processes: 342 Uptime: 2h 33m wakeups: 34 Memory: 62.72 GiB used: 2.34 GiB (3.7%) Init: SysVinit
  v: 3.06 runlevel: 5 default: graphical tool: systemctl Compilers: gcc: 12.2.0 alt: 12
  Client: shell wrapper v: 5.2.15-release inxi: 3.3.26
Boot Mode: UEFI

Posted: **Sun Nov 10, 2024 12:46 pm**

How did you confirm that a command run within sudo sees your PATH?

sudo resets PATH by default, for security reasons, but this can be overridden using sudo command options.

Posted: **Sun Nov 10, 2024 12:50 pm**

Does sudo -E work? (-E is preserve environment option)

Posted: **Sun Nov 10, 2024 1:01 pm**

I used:

Code: Select all

$ sudo bash -c "echo $PATH"
/home/q/.cargo/bin:/home/q/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin:/home/q/Desktop:/home/q/Desktop/Scripts/:/home/q/Applications/:/home/q/Scripts/

Using E did not help.

Code: Select all

sudo bash -E "backupforinternaldrive2024x.sh"
bash: backupforinternaldrive2024x.sh: No such file or directory

Your questions gave me another idea so I did this:

Code: Select all

sudo printenv
(excerpt) PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

I see that gives me a different path! Does that tell us anything? This is beyond my knowledge level.

Using -E did not help:

Code: Select all

$ sudo -E bash "backupforinternaldrive2024x.sh"
bash: backupforinternaldrive2024x.sh: No such file or directory

Posted: **Sun Nov 10, 2024 1:03 pm**

Adrian wrote: Sun Nov 10, 2024 12:50 pm Does sudo -E work? (-E is preserve environment option)

You can use "sudo -E", as shown here:

Code: Select all

echo $PATH
/opt/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
sudo -E env  | grep -E '^HOME|^PATH'
HOME=/home/fehlix
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin

but it resets PATH, and keeps user HOME, which can create issues, when the app
started with "sudo -E", writes stuff as root into user HOME. So highly not recommended.
The way to pass an adjusted PATH into sudo envirenment could be like this:

Code: Select all

sudo PATH="$PATH" env | grep -E '^HOME|^PATH'
PATH=/opt/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
HOME=/root

The env command used in the examples above is just to print out the environment parameters.

Posted: **Sun Nov 10, 2024 1:05 pm**

Code: Select all

$ sudo bash -c "echo $PATH"

evaluates PATH before calling sudo.

Posted: **Sun Nov 10, 2024 1:13 pm**

I did'nt really understand but I ran:

Code: Select all

sudo PATH="$PATH" env | grep -E '^HOME|^PATH'  
PATH=/opt/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
HOME=/root

Seems the same as yours. SO I think this means that sudo has a different env path. SO does that mean I always have to use an absolute path when using sudo? Is it risky to modify the sudo path by adding the path to my scripts? If not how would I do that?

Posted: **Sun Nov 10, 2024 1:18 pm**

compare:

Code: Select all

$ sudo bash -c "echo $PATH"

Code: Select all

$ sudo bash -c 'echo $PATH'

The first expands $PATH immediately because of the double quotes, the second doesn't.

Posted: **Sun Nov 10, 2024 1:24 pm**

I tried that. I have no idea what the significance is but here are the results:

Code: Select all

q@mx:/home/q
$ sudo bash -c 'echo $PATH'
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
q@mx:/home/q
$ sudo bash -c "echo $PATH"
/opt/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin

So they are definitely different but not enough to add my script directory. But if I am understanding correctly it is risky to have sudo use the user defined env path?

Bottomline: I don't fully understand all this but I seem to get the idea that I should not try to use an env path shortcut and should always use an absolute path when using sudo??

Posted: **Sun Nov 10, 2024 1:34 pm**

mikech wrote: Sun Nov 10, 2024 1:13 pm I did'nt really understand but I ran:
Code: Select all
sudo PATH="$PATH" env | grep -E '^HOME|^PATH'  
PATH=/opt/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/games:/usr/games:/sbin:/usr/sbin
HOME=/root
Seems the same as yours. SO I think this means that sudo has a different env path. SO does that mean I always have to use an absolute path when using sudo? Is it risky to modify the sudo path by adding the path to my scripts? If not how would I do that?

Yes, this means sudo resets the PATH, and not taking what is set in user's environment..
with

Code: Select all

sudo PATH="$PATH" myapp

you tell sudo to take the environment paramteer "PATH" as it is set on the command line.
But you havn't shown us how you actually want to start the app in question, e.g with a script, a desktop launcher, or just from the terminal command line? B/c there are some small differeneces to take into account.

Posted: **Sun Nov 10, 2024 1:35 pm**

The difference between when single and double quoted strings are expanded has nothing to do with sudo. It's all bash (or whatever shell you're using).

There are many reasons sudo has obscure rules about what it does by default. Most are related to risk.

It is extremely easy for even fairly advanced linux users to make themselves more vulnerable to hacking with sudo. But, in linux land, only you can save you from you.

Posted: **Sun Nov 10, 2024 1:56 pm**

I am very sorry fehlix. I didn't realize you needed that. I use the command line and start a bash script with "bash filename.sh" works from any directory when not not using "sudo". Didn't know there was any other way. It never occurred to me to make a launcher! I have never used a launcher and only start bash scripts for the command line.

Posted: **Sun Nov 10, 2024 2:04 pm**

sudo PATH="$PATH" bash myscript works! It runs the script. Now I just need to find a way to automate that.

Its all about removing key strokes without compromising security for me. I once told one of my programmers when I was a project manager that I didn't care if it took 500 lines of code to remove one keystroke for the user (most new hires can't type). The programmers were not happy! 500 limes of code is much cheaper than 10,000 extra keystrokes several times a day (one per employee)!

Posted: **Sun Nov 10, 2024 2:22 pm**

mikech wrote: Sun Nov 10, 2024 2:04 pm Its all about removing key strokes without compromising security for me. I once told one of my programmers when I was a project manager that I didn't care if it took 500 lines of code to remove one keystroke for the user (most new hires can't type). The programmers were not happy! 500 limes of code is much cheaper than 10,000 extra keystrokes several times a day (one per employee)!

But adding 500 lines of code might compromise security. Because that code can contain bugs or at least make the system more vulnerable. The EULA might save the company from being sued, but not from losing customers and reputation. Add in maintenance of that extra code taking resources away from other things.

I'm a retired software engineer, so I might have been one of those not happy.

Posted: **Sun Nov 10, 2024 2:29 pm**

mikech wrote: Sun Nov 10, 2024 2:04 pm sudo PATH="$PATH" bash myscript works! It runs the script. Now I just need to find a way to automate that.

Its all about removing key strokes without compromising security for me. I once told one of my programmers when I was a project manager that I didn't care if it took 500 lines of code to remove one keystroke for the user (most new hires can't type). The programmers were not happy! 500 limes of code is much cheaper than 10,000 extra keystrokes several times a day (one per employee)!

Sorry, why do you run a bash script as
"bash myscript"
instead of just
"myscript"
and with sudo as

Code: Select all

sudo PATH="$PATH" myscript

b/c a proper bash-script which is marked as execuatable and
has the proper "shebang" -line as first line

Code: Select all

#!/bin/bash

The shebang line "#!/bin/bash" tells the kernel to run this script as bash-script.
So no need to start bash-script with running extra bash as the kernel knows already to start as bash .

Posted: **Sun Nov 10, 2024 2:52 pm**

Felix:
OH! I did not know that. Thank you! It has "#!/bin/bash" so I must have known it when I wrote the script 5 years ago! Your question about a launcher prompted me to create one and it works perfectly. I just have to figure out how to keep the terminal open so I can see any errors. I used to know how to do it so I just need to check some of my other scripts. Thanks!

imschmeg
Good point! However we used highly skilled and qualified professional programmers who understood the need for security and we used a very robust testing system that also checked for vulnerabilities. The application lived behind a very powerful firewall with zero internet access. They just were not happy about doing all the extra work and considered it unnecessary. They were of the "the user ought to..." philosophy. Afterwards one of them thanked me because what I asked him to do was very difficult and he filed several patents for the techniques he developed. "500 lines" was a figure of speech. Nothing I asked them to do actually required 500 lines! :-)) But your right. Probably not do-able or even a good strategy in some commercial environments.

Posted: **Mon Nov 11, 2024 5:28 am**

imschmeg wrote: Sun Nov 10, 2024 2:22 pm
mikech wrote: Sun Nov 10, 2024 2:04 pm I once told one of my programmers when I was a project manager that I didn't care if it took 500 lines of code to remove one keystroke for the user (most new hires can't type). The programmers were not happy! 500 limes of code is much cheaper than 10,000 extra keystrokes several times a day (one per employee)!
But adding 500 lines of code might compromise security. Because that code can contain bugs or at least make the system more vulnerable. The EULA might save the company from being sued, but not from losing customers and reputation. Add in maintenance of that extra code taking resources away from other things.

Write 500 lines to save one keystroke. Pat self on the back for the productivity boost. Realize you now have to pay your engineers to write a specification for those 500 lines, unit tests, and documentation. Update training everywhere since it changes end user workflows and send multiple announcements they won't read, with a timeline they won't remember. Hold multiple meetings to solicit usability feedback. Check the new code into source control. Tag it for regular security review at six month intervals and factor in the additional regression testing into your CI/CD test matrix. Notify your on-call rotation about the update and provide best practices. Hold multiple meetings to calculate the lifetime of the project and when to assign it to a sustained engineering resource.

All over one keystroke. Choose carefully.

MX Linux Forum

Sudo cannot find scripts in the user's home despite the ENV set correctly

Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly [Solved]

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly

Re: Sudo cannot find scripts in the user's home despite the ENV set correctly