Passing PATH through sudo

In short: how to make sudo not to flush PATH everytime?

I have some websites deployed on my server (Debian testing) written with Ruby on Rails. I use Mongrel+Nginx to host them, but there is one problem that comes when I need to restart Mongrel (e.g. after making some changes).

All sites are checked in VCS (git, but it is not important) and have owner and group set to my user, whereas Mongrel runs under the, huh, mongrel user that is severely restricted in it's rights. So Mongrel must be started under root (it can automatically change UID) or mongrel.

To manage mongrel I use mongrel_cluster gem because it allows starting or stopping any amount of Mongrel servers with just one command. But it needs the directory /var/lib/gems/1.8/bin to be in PATH: this is not enough to start it with absolute path.

Modifying PATH in root .bashrc changed nothing, tweaking sudo's env_reset and env_keep didn't either.

So the question: how to add a directory to PATH or keep user's PATH in sudo?

Update: some examples

$ env | grep PATH
PATH=/usr/local/bin:/usr/bin:/bin:/usr/games:/var/lib/gems/1.8/bin
$ sudo cat /etc/sudoers | egrep -v '^$|^#'
Defaults    env_keep = "PATH"
root    ALL=(ALL) ALL
%sudo ALL=NOPASSWD: ALL
$ sudo env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

Also I can say that it works exactly this way in Debian stable (lenny) too.

whitequark

Posted 2010-01-21T07:54:27.077

Reputation: 14 146

– rogerdpack – 2013-11-13T16:51:35.310

Answers

Struggled with the same problem for a few hours. In debian lenny, you can fix it by adding

Defaults        exempt_group=<your group>

to the sudoers file.

This is the only way to go around the compiled --secure-path option, (as far as I know).

Notably, this will also exempt users from needing to enter their password when they sudo.

Rob

Posted 2010-01-21T07:54:27.077

Reputation: 136

If you have secure_path set in /etc/sudoers, you can play with env_reset / env_keep all you like and it won't make any difference to the path. If you see something like this, comment it out.

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin

Draemon

Posted 2010-01-21T07:54:27.077

Reputation: 738

No, of course it wasn't set. – whitequark – 2010-06-25T15:48:24.927

I'd say look into the env_reset and env_keep options in man sudo. But it sounds like you've already done that (you just mistakenly call env_keep "keepenv"). If you disable the env_reset option (default is enabled), I think it's not supposed to erase any env variables. But this is less secure.

There's also a secure_path option to sudo; I think this is enabled by default. You could try disabling it.

The preceding options are set in your /etc/sudoers file. There's also the -i command-line option to sudo. That will cause sudo to run /root/.profile or /root/.login. You could set your desired path there.

dubiousjim

Posted 2010-01-21T07:54:27.077

Reputation: 1 128

1No, when env_reset is turned off it still changes (not erases) PATH. Probably this is done to add /*/sbin dirs. No, the -i option is not suitable because it starts an interactive shell, and I need only to run a command. – whitequark – 2010-04-13T02:12:21.857

Okay, the problem vanished after reinstalling Debian (because of migrating to LVM) and also RubyGems; your answer was the most useful of all so it can be accepted now. – whitequark – 2010-04-27T11:11:11.987

-1

Well, you're doing something wrong. Also, you didn't specify what you did with your /etc/sudoers file. Here's what you should've done -- this is a CentOS system, BTW:

First, this is with the right env_keep setting (notice PATH is in there):

sudo grep -5 PATH /etc/sudoers Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY PATH"

Defaults   timestamp_timeout = 15 

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple

-> export PATH=$PATH:hithere
-> sudo sh -c 'echo $PATH'
/sbin:/bin:/usr/sbin:/usr/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/bin:hithere

Looks good. Now let's remove the env_keep setting and try again:

-> sudo visudo
-> sudo grep -5 PATH /etc/sudoers
                    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                    LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                    LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                    _XKB_CHARSET XAUTHORITY"
 #_XKB_CHARSET XAUTHORITY PATH"

What a sad PATH:

 -> sudo sh -c 'echo $PATH'
 /usr/bin:/bin

Emmel

Posted 2010-01-21T07:54:27.077

Reputation: 351

1I checked that MORE than twice! Check the update in post. – whitequark – 2010-04-16T15:22:43.907

I have the same problem, I definitely have the right settings you mention – Draemon – 2010-06-25T14:05:14.263