Sudo and environment variables
From Brandonhutchinson.com
- If env_reset is set in sudoers, sudo will reset most environment variables.
If you want to preserve one or more environment variables for all commands in sudoers, add it to env_keep. From sudoers(4):
env_keep Environment variables to be preserved in the
user's environment when the env_reset option
is in effect. This allows fine-grained
control over the environment sudo-spawned
processes will receive. The argument may be
a double-quoted, space-separated list or a
single value without double-quotes. The
list can be replaced, added to, deleted
from, or disabled by using the =, +=, -=,
and ! operators respectively. The default
list of variables to keep is displayed when
sudo is run by root with the -V option.
env_reset If set, sudo will reset the environment to only contain the
following variables: HOME, LOGNAME, PATH, SHELL, TERM, and
USER (in addition to the SUDO_* variables). Of these, only
TERM is copied unaltered from the old environment. The
other variables are set to default values (possibly modi-
fied by the value of the set_logname option). If sudo was
compiled with the SECURE_PATH option, its value will be
used for the PATH environment variable. Other variables
may be preserved with the env_keep option.
If you want to execute a command in sudoers with environment variables preserved (while env_reset is set), add the SETENV tag to the command, and execute the command with sudo -E. From sudo(1m):
-E The -E (preserve environment) option will override the
env_reset option in sudoers(4)). It is only available
when either the matching command has the SETENV tag or
the setenv option is set in sudoers(4).
- Run sudo -V as root to list the environment variables sudo clears.
e.g.,
# sudo -V
Environment variables to remove:
PERL5OPT
PERL5LIB
PERLLIB
JAVA_TOOL_OPTIONS
SHELLOPTS
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
PS4
SHELLOPTS
CDPATH
IFS
