5

I'm trying to sudo some binaries that lies in a custom path. That custom path is removed when I run sudo though, but sudo -E should preserve my path. Why doesn't it work?

$ env | egrep ^PATH
PATH=/home/codemonkey/.nvm/v0.6.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/gam
es:/usr/games

$ sudo env | egrep ^PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

$ sudo -E env | egrep ^PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

I know how to work around it, I just want to know why sudo -E doesn't work

Hubro
  • 1,098
  • 3
  • 16
  • 35

4 Answers4

4

You can set the exempt_group option to tell sudo to keep the PATH for users in that group.

For example, say your user is in the group 'sys'. Add the following to your sudoers file

Defaults exempt_group="sys"

Now your user will not have PATH reset for sudo commands (-E is not needed for this to work).
See the man page for more details.

EDIT: Going to have to note this as a bad answer. It is true that it works, but it has a side effect I didnt notice while playing with it. It also exempts users in that group from having to type their password. Seems you cant get PATH preservation without allowing this. Bit stupid I think...

phemmer
  • 5,789
  • 2
  • 26
  • 35
1

Proposing another solution in addition to the one I already entered. This works for bash only (but can be modified for other shells).

The following is a wrapper around sudo that will look for the command youre passing to it. Once it finds the command it changes it to the fully qualified path.
So in effect sudo echo hello becomes sudo /bin/echo hello.

Put the following in your ~/.bashrc

function sudo() {
   local ARGS
   declare -a ARGS=()
   while (( $# )); do
      if [[ "${1:0:1}" == "-" ]]; then
         # the argument is a dash-arg; '-s' for example
         ARGS[${#ARGS[@]}]="$1"
         if [[ "$1" =~ ^-[pugD]$ ]]; then
            # these are the arguments that take a parameter, so skip the next
            ARGS[${#ARGS[@]}]="$2"
            shift
         fi
         shift
      elif [[ "$1" == *"="* ]]; then
         # the argument is a env var to set, not a command
         ARGS[${#ARGS[@]}]="$1"
         shift
      else
         # finally, a command
         CMD="$(which --skip-alias --skip-functions "$1")"
         [[ -z "$CMD" ]] && ARGS[${#ARGS[@]}]="$1" || ARGS[${#ARGS[@]}]="$CMD"
         shift
         break
      fi
   done
   command sudo "${ARGS[@]}" "$@"
}

Note, it wont properly handle it if you have a command with an = in its name. This is extremely unlikely, so I accepted this caveat to keep it simple.

phemmer
  • 5,789
  • 2
  • 26
  • 35
1

From sudoers(5):

 setenv            Allow the user to disable the env_reset option from the 
                   command line via the -E option.  Additionally, environment
                   variables set via the command line are not subject to the
                   restrictions imposed by env_check, env_delete, or env_keep.  
                   As such, only trusted users should be allowed to set  
                   variables in this manner.  This flag is off by default.
reddot
  • 156
  • 2
0

I'd look to the options in the sudoers file as they control some of the sudo behavior.

And of course I'd consult the man page for the sudoers file.

mdpc
  • 11,698
  • 28
  • 51
  • 65
  • All the sudoers file does is set `Defaults env_reset` and the define some user privileges. Shouldn't `sudo -E` override the defaults? – Hubro Feb 03 '12 at 23:46
  • 4
    @Codemonkey No, the philosophy behind sudoers is to provide policy, not merely "defaults". So an ordinary user cannot override with the command line switches the policy that has been globally set by root to `env reset`. – kubanczyk Feb 03 '12 at 23:50
  • I'd think that probably not, since the root user (i.e. administrator) is controlling the configuration and any user can access sudo (it may not get them anywhere). Thus you'd be overriding something that the administrator wants to be enforced. – mdpc Feb 03 '12 at 23:51
  • Is there any way to allow overrides for certain users? Also, can't any user with sudo access just change the defaults? – Hubro Feb 03 '12 at 23:57
  • 3
    Sudo users do NOT necessarily have root access, and thus this your statement is not true. – mdpc Feb 04 '12 at 00:18