Sudo and environment variables

From Brandonhutchinson.com

(Difference between revisions)
Jump to: navigation, search
m
Current revision (16:56, 5 March 2008) (edit) (undo)
m
 
Line 25: Line 25:
may be preserved with the env_keep option.
may be preserved with the env_keep option.
-
If you want to execute a command in '''sudoers''' with environment variables preserved, add the SETENV tag to the command, and execute the command with '''sudo -E'''.
+
If you want to execute a command in '''sudoers''' with environment variables preserved (while '''env_reset''' is set), add the SETENV tag to the command, and execute the command with '''sudo -E'''.
From ''sudo''(1m):
From ''sudo''(1m):
-E The -E (preserve environment) option will override the
-E The -E (preserve environment) option will override the

Current revision

  • If env_reset is set in sudoers, sudo will reset most environment variables.

If you want to preserve one or more environment variables for all commands in sudoers, add it to env_keep. From sudoers(4):

       env_keep     Environment variables to be preserved in the
                    user's environment when the env_reset option
                    is in effect.  This allows fine-grained
                    control over the environment sudo-spawned
                    processes will receive.  The argument may be
                    a double-quoted, space-separated list or a
                    single value without double-quotes.  The
                    list can be replaced, added to, deleted
                    from, or disabled by using the =, +=, -=,
                    and ! operators respectively.  The default
                    list of variables to keep is displayed when
                    sudo is run by root with the -V option.

       env_reset    If set, sudo will reset the environment to only contain the
                    following variables: HOME, LOGNAME, PATH, SHELL, TERM, and
                    USER (in addition to the SUDO_* variables).  Of these, only
                    TERM is copied unaltered from the old environment.  The
                    other variables are set to default values (possibly modi-
                    fied by the value of the set_logname option).  If sudo was
                    compiled with the SECURE_PATH option, its value will be
                    used for the PATH environment variable.  Other variables
                    may be preserved with the env_keep option.

If you want to execute a command in sudoers with environment variables preserved (while env_reset is set), add the SETENV tag to the command, and execute the command with sudo -E. From sudo(1m):

    -E  The -E (preserve environment) option will override the
        env_reset option in sudoers(4)).  It is only available
        when either the matching command has the SETENV tag or
        the setenv option is set in sudoers(4).
  • Run sudo -V as root to list the environment variables sudo clears.

e.g.,

# sudo -V
Environment variables to remove:
       PERL5OPT
       PERL5LIB
       PERLLIB
       JAVA_TOOL_OPTIONS
       SHELLOPTS
       PS4
       BASH_ENV
       ENV
       TERMCAP
       TERMPATH
       TERMINFO_DIRS
       TERMINFO
       _RLD*
       LD_*
       PATH_LOCALE
       NLSPATH
       HOSTALIASES
       RES_OPTIONS
       LOCALDOMAIN
       PS4
       SHELLOPTS
       CDPATH
       IFS
Personal tools