Sudo vs root; any actual differences?

I'm working with a support member for a product, and he insists that I need to be root to install a series of patches, and that sudo won't work; he doesn't provide a reason but seems very firm in his beliefs. Browsing Superuser I can't determine any possible reason for this being the case, and in confirmation, when I run:

sudo -l

I get:

...
User [MY USERNAME] may run the following commands on this host:
    (ALL) ALL

Getting access from the Linux/server team to actually be root is not an imediate process as I understand, so I'd prefer to install them myself.

Is there any practical reason whatsoever why sudo would behave differently than root for installing software on a server?


Solution 1:

It strongly depends on how you call your program with sudo or su.
E.g. on the system on which I am in this moment:

                  .bashrc                        
    COMMAND        $HOME   $USER  Env.  $PATH
 1. sudo -i        (root)   root  root  [1]
 2. sudo -s        (USER)   root  USER  /home/${USER}/bin:[1]
 3. sudo /bin/bash (USER)   root  USER  /home/${USER}/bin:[1]  
 4. sudo su        (root)   root  USER  [1]:/usr/games:/usr/local/games  
 5. sudo su -      (root)   root  root  [1] 

Where [1]=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
Env=Environment variables are reset for 1 and 5, taken from $USER in 2,3,4.

So a script, or a program that is launched with a different option can see different $PATH, $HOME, its shell can read different .bashrc,.profile and Environment variables. It reads the file related with the $HOME. Each user can modify his environment in a different way (variables, $PATH, .bashrc, .profile, .bash_profile, alias...). In particular a user can have a different order of the directories in his $PATH and, as a consequence, a script can execute a command e.g. in /home/$USER/bin instead then the one in the path expected from root.

You can run the program under sudo -i as you were logged as root with su -, but you can have different behaviour if you run it with sudo MyCommand or with su -c MyCommand.


From man su:

In the description part:
The current environment is passed to the new shell. The value of $PATH is reset to /bin:/usr/bin for normal users, or /sbin:/bin:/usr/sbin:/usr/bin for the superuser
...
In the options part:
-, -l, --login
Provide an environment similar to what the user would expect had the user logged in directly.

From man sudo

-i, --login
Run the shell specified by the target user's password database entry as a login shell. This means that login-specific resource files such as .profile or .login will be read by the shell. If a command is specified, it is passed to the shell for execution via the shell's -c option. If no command is specified, an interactive shell is executed. sudo attempts to change to that user's home directory before running the shell. The command is run with an environment similar to the one a user would receive at log in. The Command Environment section in the sudoers(5) manual documents how the -i option affects the environment in which a command is run when the sudoers policy is in use.

Solution 2:

If you have full sudo access, you can become root using sudo su -, so the security point is moot.

Indeed, there is a way to discern the difference between a program ran as root and a program ran under sudo - using getuid vs geteuid - but this is a contrived trick. Why would a patch system do that?

Solution 3:

There are a few differences if you are getting a root shell, as pointed out by @Hastur.

If you are not getting a root shell, then there are more differences. The support member may have experience trying to do things like sudo patch -p0 < /root/patch.file where patch is run as root, but < (piping from a file) is not.

Solution 4:

I beleive when using sudo access, a log file is created, however when running directly through root access there is not.