When can a user do `sudo su` but not `sudo su -`?

Question

The following happened to me:

$ sudo su - superman

Sorry, user clarkkent is not allowed to execute '/bin/su - superman' as root in krypton101.

However the following worked fine:

$ sudo su superman

When is it useful to allow a user to do sudo su but not sudo su -? How is this setting set / unset? I read this page but it didn't help.

More details:

I am not the administrator
I don't have access to /etc/sudoers
the distribution is Centos 7

Is this your personal machine or does someone else administer it? Can you see the contents of /etc/sudoers? If so, [edit] your question and add the output of sudo grep -w su /etc/sudoers. Also [edit] and add your distribution. — terdon, Dec 02 '15 at 14:01
sudo -l will be helpful, it will show what commands you're allowed to execute even if you can't read /etc/sudoers and /etc/sudoers.d. — Ulrich Schwarz, Dec 02 '15 at 14:04

score 3 · Answer 1 · answered Jul 10 '18 at 14:33

When specifying commands allowed via sudo, there are basically two easy options:

allow a specific command with any parameters, or
allow a specific command with an exactly specified set of parameters only.

As a result, allowing both sudo su - superman and sudo su superman requires two entries in the sudoers file. It looks like your administrator has only provided you with one of them.

The sudoers file syntax does not really let the administrator specify a specific command with wildcard- or regexp-limited options, because those specifications would be an all too easy to abuse. As Andrew said, better safe than sorry is the approach here.

However, note that sudo su superman requires sudo to allow the original user to run su superman as root. Effectively, there will be two identity transitions instead of just one: first from original user to root by sudo and then from root to superman by su. The specification would look like this in the sudoers file:

original_user ALL=(root) su superman

On the other hand, the sudoers syntax has a much easier way to allow the user to run any commands as a specific user, if the user is not too fixated to the use of the su command.

If the sudoers specification is written like this:

original_user ALL=(superman) ALL

then the user can use sudo -u superman -s to achieve a close (but possibly not exact) equivalent of sudo su superman and sudo -u superman -i to achieve an exact equivalent of sudo su - superman.

Why people don't use this, but instead insist on using sudo su - constructs? Because the -i option did not exist in older versions of sudo!

It only appeared sometime after year 2000, so there's plenty of old literature that still recommends the now-obsolete sudo su - construction. And of course, old Unix users and administrators may have that in muscle memory, so they'll use it without thinking.

score 0 · Answer 2 · answered Dec 07 '15 at 16:57

To answer the question: When is it useful to allow a user to do sudo su but not sudo su -?

The hyphen after su but before the username instructs su to allow the current user to inherit the environment of username. As long as clarkkent's environment has the necessary environment variables set to be able to run as superman, it is not necessary to run sudo su - superman.

A plausible 'reason' NOT to allow sudo su - superman may be that the system administrator believed sudo su - superman created a security risk. This is because sudo su -, without specifying a username, instructs the system to log you in as root user, which is likely something the system administrator is trying to avoid. I do not actually know for certain adding the hyphen creates this risk, or not, but I guess when it comes to security, it's better safe than sorry.

How is this setting set / unset?

The configuration is defined in the /etc/sudoers file.

When can a user do `sudo su` but not `sudo su -`?

2 Answers2