sudo and PATH?

Martin Marcher martin.marcher at openforce.com
Mon Jan 8 18:13:55 UTC 2007 

Hello,

Am 08.01.2007 um 15:08 schrieb Derek Broughton:

> Martin Marcher wrote:
>
>> Hello,
>>
>> Am 05.01.2007 um 20:01 schrieb Matt Price:
>>
>>> but this of course doesn't extend over to sudo  Is there a way to
>>> change
>>> sudo's path, preferably permanently and for every user?
>>
>> have a look a man sudoers(5) and search for "env_reset" and
>> "env_keep" and also the "env_" options in general.

Quote:
        env_reset   If set, sudo will reset the environment to only  
contain the
                    following variables: HOME, LOGNAME, PATH, SHELL,  
TERM, and
                    USER (in addition to the SUDO_* variables).  Of  
these, only
                    TERM is copied unaltered from the old  
environment.  The
                    other variables are set to default values  
(possibly modi-
                    fied by the value of the set_logname option).  If  
sudo was
                    compiled with the SECURE_PATH option, its value  
will be
                    used for the PATH environment variable.  Other  
variables
                    may be preserved with the env_keep option.

Which in essence means

env_sudo = 1
env_keep = PATH

it will erase all environment variables but keep PATH (NOTE: this is  
just a quick write down so it may be the wrong syntax)

another option would be to use Defaults

Quote:
         # Run X applications through sudo; HOME is used to  
find .Xauthority file
         # Note that some programs may use HOME for other purposes  
too and
         # this may lead to privilege escalation!
         Defaults env_keep = "DISPLAY HOME"

Defaults env_keep = "PATH" # keeps $PATH for all users
Defaults:YourUserName env_keep = "HOME USER PATH" # keeps HOME USER  
PATH for YourUserName

or whatever you like (the sudoers file is quite powerfull once you  
managed to climb the learning curve


>
> I'm not sure that's made it any clearer to me.
>>
>> And please do use "visudo" to edit the file...
>
> One of those really stupid legacy unixisms.  For years I _didn't_  
> use visudo
> (without problems) because I refuse to use vi.  Then I realized it  
> doesn't
> really use vi (unless that's your default editor).

hehe, I wasn't refering to using vi vim emacs or any editor but more  
to that if you break your sudoers file without using visudo you won't  
be able to use any sudo command because parsing the file will  
generate an error and sudo will refuse to work, whereas by using  
visudo it will (at least) give you the opportunity to correct the  
syntax - but still doesn't keep you from locking yourself out by  
removing the right to use sudo

hth
martin

More information about the ubuntu-users mailing list