Home / server / Questions / 356747
Accepted
Hubro
Asked: 2012-02-04 15:37:11 +0800 CST

Why doesn't sudo -E actually preserve my environment?

  • 772

I'm trying to sudo some binaries that lies in a custom path. That custom path is removed when I run sudo though, but sudo -E should preserve my path. Why doesn't it work?

$ env | egrep ^PATH
PATH=/home/codemonkey/.nvm/v0.6.1/bin:/usr/local/bin:/usr/bin:/bin:/usr/local/gam
es:/usr/games

$ sudo env | egrep ^PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

$ sudo -E env | egrep ^PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

I know how to work around it, I just want to know why sudo -E doesn't work

linux debian environment-variables sudo env

4 Answers

  1. Best Answer

    You can set the exempt_group option to tell sudo to keep the PATH for users in that group.

    For example, say your user is in the group 'sys'. Add the following to your sudoers file

    Defaults exempt_group="sys"

    Now your user will not have PATH reset for sudo commands (-E is not needed for this to work).
    See the man page for more details.

    EDIT: Going to have to note this as a bad answer. It is true that it works, but it has a side effect I didnt notice while playing with it. It also exempts users in that group from having to type their password. Seems you cant get PATH preservation without allowing this. Bit stupid I think...

    • 4

  2. Proposing another solution in addition to the one I already entered. This works for bash only (but can be modified for other shells).

    The following is a wrapper around sudo that will look for the command youre passing to it. Once it finds the command it changes it to the fully qualified path.
    So in effect sudo echo hello becomes sudo /bin/echo hello.

    Put the following in your ~/.bashrc

    function sudo() {
   local ARGS
   declare -a ARGS=()
   while (( $# )); do
      if [[ "${1:0:1}" == "-" ]]; then
         # the argument is a dash-arg; '-s' for example
         ARGS[${#ARGS[@]}]="$1"
         if [[ "$1" =~ ^-[pugD]$ ]]; then
            # these are the arguments that take a parameter, so skip the next
            ARGS[${#ARGS[@]}]="$2"
            shift
         fi
         shift
      elif [[ "$1" == *"="* ]]; then
         # the argument is a env var to set, not a command
         ARGS[${#ARGS[@]}]="$1"
         shift
      else
         # finally, a command
         CMD="$(which --skip-alias --skip-functions "$1")"
         [[ -z "$CMD" ]] && ARGS[${#ARGS[@]}]="$1" || ARGS[${#ARGS[@]}]="$CMD"
         shift
         break
      fi
   done
   command sudo "${ARGS[@]}" "$@"
}

    Note, it wont properly handle it if you have a command with an = in its name. This is extremely unlikely, so I accepted this caveat to keep it simple.

    • 1

  3. From sudoers(5):

     setenv            Allow the user to disable the env_reset option from the 
                   command line via the -E option.  Additionally, environment
                   variables set via the command line are not subject to the
                   restrictions imposed by env_check, env_delete, or env_keep.  
                   As such, only trusted users should be allowed to set  
                   variables in this manner.  This flag is off by default.
    • 1

  4. I'd look to the options in the sudoers file as they control some of the sudo behavior.

    And of course I'd consult the man page for the sudoers file.

    • 0