Sudo and environment variables

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
m
Current revision (16:56, 5 March 2008) (edit) (undo)
m
 
(5 intermediate revisions not shown.)
Line 1: Line 1:
-
* If '''env_reset''' is set in '''sudoers''', sudo will reset most environment variables. To preserve an environment variable during a sudo execution, add it to '''env_keep''' in '''sudoers'''.
+
* If '''env_reset''' is set in '''sudoers''', sudo will reset most environment variables.
 +
If you want to preserve one or more environment variables for all commands in '''sudoers''', add it to '''env_keep'''.
 +
From ''sudoers''(4):
 +
env_keep Environment variables to be preserved in the
 +
user's environment when the env_reset option
 +
is in effect. This allows fine-grained
 +
control over the environment sudo-spawned
 +
processes will receive. The argument may be
 +
a double-quoted, space-separated list or a
 +
single value without double-quotes. The
 +
list can be replaced, added to, deleted
 +
from, or disabled by using the =, +=, -=,
 +
and ! operators respectively. The default
 +
list of variables to keep is displayed when
 +
sudo is run by root with the -V option.
 +
 +
env_reset If set, sudo will reset the environment to only contain the
 +
following variables: HOME, LOGNAME, PATH, SHELL, TERM, and
 +
USER (in addition to the SUDO_* variables). Of these, only
 +
TERM is copied unaltered from the old environment. The
 +
other variables are set to default values (possibly modi-
 +
fied by the value of the set_logname option). If sudo was
 +
compiled with the SECURE_PATH option, its value will be
 +
used for the PATH environment variable. Other variables
 +
may be preserved with the env_keep option.
-
From ''sudoers''(5):
+
If you want to execute a command in '''sudoers''' with environment variables preserved (while '''env_reset''' is set), add the SETENV tag to the command, and execute the command with '''sudo -E'''.
-
env_reset If set, sudo will reset the environment to only contain the
+
From ''sudo''(1m):
-
following variables: HOME, LOGNAME, PATH, SHELL, TERM, and
+
-E The -E (preserve environment) option will override the
-
USER (in addition to the SUDO_* variables). Of these, only
+
env_reset option in sudoers(4)). It is only available
-
TERM is copied unaltered from the old environment. The
+
when either the matching command has the SETENV tag or
-
other variables are set to default values (possibly modi-
+
the setenv option is set in sudoers(4).
-
fied by the value of the set_logname option). If sudo was
+
-
compiled with the SECURE_PATH option, its value will be
+
-
used for the PATH environment variable. Other variables
+
-
may be preserved with the env_keep option.
+
* Run '''sudo -V''' as root to list the environment variables sudo clears.
* Run '''sudo -V''' as root to list the environment variables sudo clears.

Current revision

  • If env_reset is set in sudoers, sudo will reset most environment variables.

If you want to preserve one or more environment variables for all commands in sudoers, add it to env_keep. From sudoers(4): 

       env_keep     Environment variables to be preserved in the
                    user's environment when the env_reset option
                    is in effect.  This allows fine-grained
                    control over the environment sudo-spawned
                    processes will receive.  The argument may be
                    a double-quoted, space-separated list or a
                    single value without double-quotes.  The
                    list can be replaced, added to, deleted
                    from, or disabled by using the =, +=, -=,
                    and ! operators respectively.  The default
                    list of variables to keep is displayed when
                    sudo is run by root with the -V option.

       env_reset    If set, sudo will reset the environment to only contain the
                    following variables: HOME, LOGNAME, PATH, SHELL, TERM, and
                    USER (in addition to the SUDO_* variables).  Of these, only
                    TERM is copied unaltered from the old environment.  The
                    other variables are set to default values (possibly modi-
                    fied by the value of the set_logname option).  If sudo was
                    compiled with the SECURE_PATH option, its value will be
                    used for the PATH environment variable.  Other variables
                    may be preserved with the env_keep option.

If you want to execute a command in sudoers with environment variables preserved (while env_reset is set), add the SETENV tag to the command, and execute the command with sudo -E. From sudo(1m): 

    -E  The -E (preserve environment) option will override the
        env_reset option in sudoers(4)).  It is only available
        when either the matching command has the SETENV tag or
        the setenv option is set in sudoers(4).
  • Run sudo -V as root to list the environment variables sudo clears.

e.g., 

# sudo -V
Environment variables to remove:
       PERL5OPT
       PERL5LIB
       PERLLIB
       JAVA_TOOL_OPTIONS
       SHELLOPTS
       PS4
       BASH_ENV
       ENV
       TERMCAP
       TERMPATH
       TERMINFO_DIRS
       TERMINFO
       _RLD*
       LD_*
       PATH_LOCALE
       NLSPATH
       HOSTALIASES
       RES_OPTIONS
       LOCALDOMAIN
       PS4
       SHELLOPTS
       CDPATH
       IFS
Retrieved from "http://brandonhutchinson.com/wiki/Sudo_and_environment_variables"
Personal tools