New administration user's $PATH seriously differs from the root's

Question

I'm administering a rented CentOS 5.6 Dedicated Machine as root like initially setup but I'm aware it's extremely bad practise, so I created an User named administrator, placed into groups administrator wheel sshd and added

## Allows people in group wheel to run all commands
%wheel  ALL=(ALL)       ALL

via visudo. Everything works as far as sudoing or SSHing but $PATH differs too much for both, causing some commands like visudo "not existing" (for administrator) and I don't know what like I should edit administrator's into.

$PATH for root: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
$PATH for administrator: /usr/local/bin:/bin:/usr/bin:/home/administrator/bin

On a Debian Squeeze the mentioned are
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
and
/usr/local/bin:/usr/bin:/bin:/usr/local/games
but the latter User was added during installation, so how should I edit administrator's on the CentOS ?

I've not chosen a winner reply, as none answer the Q but then again this can't be really answered since I'm on wrong track. — rautamiekka, Aug 19 '11 at 19:57

84104 · Answer 1 · 2011-08-10T15:53:34.883

1

Why don't you just change administrator's path to be the same path as root's?

To quote /etc/profile

# Set up PATH depending on whether we're root or a normal user.
# There's no real reason to exclude sbin paths from the normal user,
# but it can make tab-completion easier when they aren't in the
# user's PATH to pollute the executable namespace.

edited Aug 10 '11 at 15:53

answered Aug 09 '11 at 22:32

84104

12,905
6
45
76

score 1 · Answer 2 · answered Aug 09 '11 at 22:44

1

"How To Become Root"

answered Aug 09 '11 at 22:44

Ignacio Vazquez-Abrams

45,939
6
79
84

What do you want me to learn from that page ? O.o – rautamiekka Aug 19 '11 at 19:56
Hint: Look for `$PATH` on the page. – Ignacio Vazquez-Abrams Aug 19 '11 at 20:10

Michael Lowman · Answer 3 · 2011-08-10T13:59:09.473

TL;DR: Don't use non-root users for root things.

The "bad practice" is not use of the root account. The good practice is to do system administration as root, and normal usage as a normal user. This way, your normal user never has enough rights to do system administration work (maybe the account gets compromised, or you accidentally write a runaway script).

sudo and su are both ways to give yourself root access when you need it: to perform administration.

You should not modify your local user's path to include system binaries. They're in root's path for a reason: only root should run them (except ifconfig, and that's mostly fixed nowadays). If the administrator user is really intended to be just for administration, delete it. There's no point in a fake root account when you have a real one.

You are probably having issues because by default, your current environment is kept with su. You should run su as su -, telling it to reinitialize your environment as the new user (root in this case).

For sudo, your PATH should already be properly reset. Try sudo env | grep PATH; you should see /usr/sbin and all its friends already there.

If you don't you must have some element of a custom sudoers config: check for env_file, secure_path, or env_keep. Another possibility is that sudo isn't being run as you thought: check your aliases alias to see if the PATH is specified on the command line for some brain-dead reason.

I highly disagree with what you're saying. The biggest part (for me) is that using a dedicated admin user and relying on "sudo" to perform root level tasks really cuts down on the "oh sh**!" moments by forcing you to stop and think why you need to authenticate. To one-up your definition of good practice, I say use a standard user for standard things, an admin user for administrative tasks and root for special cases (i.e. almost never). But it's all subjective, right? Use whatever you want, but you can't argue that the SAFER option would be to not use root at all and to use an admin account. — Safado, Aug 10 '11 at 16:13
@RyanM I'm not advocating use of `su` over `sudo`; that's a personal choice. But I do believe there shouldn't be a "fake admin" user who exists solely to use `sudo`. Too many levels, not enough point. If you want to discuss this I'll be happy to join you in chat, otherwise I'd say brevity is the soul of wit and simplicity is the soul of security. — Michael Lowman, Aug 10 '11 at 17:22
I'm with Ryan. Having to auth' gives your gray matter enough time to stop you before screwing up the entire system, or in the very least stopping before the screwup is complete. I'm also thinking to lock down `root` since I have a regular User with administrative permissions. Though, you do have a point. — rautamiekka, Aug 10 '11 at 18:53

score 0 · Answer 4 · answered Aug 10 '11 at 13:34

0

I usually just add my regular user account to wheel group and whenever I need to perform root tasks, I su -

answered Aug 10 '11 at 13:34

Janne Pikkarainen

31,852
4
58
81

New administration user's $PATH seriously differs from the root's

4 Answers4