5

The sudo manpage tells me, that I can preserve the environment by passing the -E option, which does not work in the case of $TMPDIR:

> env | grep TMPDIR
TMPDIR=/localdata/tmp
> sudo env | grep TMPDIR
[no output]
> sudo -E env | grep TMPDIR
[no output]

This option is not blacklisted, that is sudo sudo -V doesn't list it as "Environment variables to remove". Following the approach proposed in an answer the the question "How to specify root's environment variables", I tried to whitelist it, that is my /etc/sudoers reads:

Defaults        env_reset
Defaults        env_keep = "TMPDIR"

This doesn't work neither, it actually doesn't even make TMPDIR appear in the whitelist (that is, what ``sudo sudo -V` prints as "Environment variables to preserve".

(I'm running Ubuntu 10.04.)

Community
  • 1
Mirko Vogel
  • 53
  • 3

1 Answers1

5

It looks like glibc will remove certain environment variables when running setuid programs (sudo is, of course, setuid). TMPDIR is one of these environment variables, although it doesn't seem to be documented anywhere. This is a security feature to prevent setuid programs from having their environments altered to allow for malicious reading/writing of file data.

If you want TMPDIR in your sudo environment, you can pass it explicitly:

sudo TMPDIR=$TMPDIR env
hrunting
  • 943
  • 4
  • 7
  • Thanks - Your second reference leads to a Bugzilla entry, closed as notabug, claiming that this behaviour is documented in [ld.so(8)](http://www.kernel.org/doc/man-pages/online/pages/man8/ld.so.8.html), which I cannot confirm. – Mirko Vogel Feb 20 '13 at 08:08
  • @hrunting, thanks a ton for this tip. I've just been struggling to get a build script for an embedded device to run because it wants 8 GB of scratch space in `/tmp`, but my VM's drive only has 2 GB free. I tried specifying `TMPDIR` _before_ `sudo`, but this _does not work_. Putting it after worked like a charm. Thanks! – evadeflow May 03 '13 at 21:19