[sudo-users] Sudo keeps using the same binary although PATH is different when invoking with sudo.
Piotr Dobrogost
p at gmane-2014.dobrogost.net
Mon Mar 3 14:30:59 MST 2014
Todd C. Miller <Todd.Miller <at> courtesan.com> writes:
> The env command is useful for this. E.g.
>
> $ sudo env | grep PATH
>
> That will show you the PATH sudo has set without a shell in the way.
Right, recalled env after posting, too :)
[user at localhost ~]$ env | grep PATH
PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin:/home/user/bin
[user at localhost ~]$ sudo env | grep PATH
PATH=/usr/bin:/bin
> Based on that output I would not expect sudo to modify the PATH.
Yet it seems it does modify PATH as seen in the output from `env` above.
Any ideas? Is it possible that this version of sudo was compiled with
secure_path but information about this is missig both in the output of sudo
-l and sudo -V? Below is the output of sudo sudo -V:
[user at localhost ~]$ sudo sudo -V
Sudo version 1.7.2p1
Sudoers path: /etc/sudoers
nsswitch path: /etc/nsswitch.conf
ldap.conf path: /etc/ldap.conf
ldap.secret path: /etc/ldap.secret
Authentication methods: 'pam'
Syslog facility if syslog is being used for logging: authpriv
Syslog priority to use when user authenticates successfully: notice
Syslog priority to use when user authenticates unsuccessfully: alert
Ignore '.' in $PATH
Send mail if the user is not in sudoers
Use a separate timestamp for each user/tty combo
Lecture user the first time they run sudo
Require users to authenticate by default
Root may run sudo
Allow some information gathering to give useful error messages
Visudo will honor the EDITOR environment variable
Set the LOGNAME and USER environment variables
Length at which to wrap log file lines (0 for no wrap): 80
Authentication timestamp timeout: 5 minutes
Password prompt timeout: 5 minutes
Number of tries to enter a password: 3
Umask to use or 0777 to use user's: 022
Path to mail program: /usr/sbin/sendmail
Flags for mail program: -t
Address to send mail to: root
Subject line for mail messages: *** SECURITY information for %h ***
Incorrect password message: Sorry, try again.
Path to authentication timestamp dir: /var/run/sudo
Default password prompt: [sudo] password for %p:
Default user to run commands as: root
Path to the editor for use by visudo: /bin/vi
When to require a password for 'list' pseudocommand: any
When to require a password for 'verify' pseudocommand: all
File containing dummy exec functions: /usr/libexec/sudo_noexec.so
File descriptors >= 3 will be closed before executing a command
Reset the environment to a default set of variables
Environment variables to check for sanity:
TERM
LINGUAS
LC_*
LANGUAGE
LANG
COLORTERM
Environment variables to remove:
RUBYOPT
RUBYLIB
PYTHONINSPECT
PYTHONPATH
PYTHONHOME
TMPPREFIX
ZDOTDIR
READNULLCMD
NULLCMD
FPATH
PERL5DB
PERL5OPT
PERL5LIB
PERLLIB
PERLIO_DEBUG
JAVA_TOOL_OPTIONS
SHELLOPTS
GLOBIGNORE
PS4
BASH_ENV
ENV
TERMCAP
TERMPATH
TERMINFO_DIRS
TERMINFO
_RLD*
LD_*
PATH_LOCALE
NLSPATH
HOSTALIASES
RES_OPTIONS
LOCALDOMAIN
CDPATH
IFS
Environment variables to preserve:
XAUTHORIZATION
XAUTHORITY
TZ
PS2
PS1
PATH
MAIL
LS_COLORS
KRB5CCNAME
HOSTNAME
HOME
DISPLAY
COLORS
Locale to use while parsing sudoers: C
Local IP address and netmask pairs:
10.0.2.15 / 255.255.255.0
fe80::a00:27ff:febb:56ce / ffff:ffff:ffff:ffff::
Regards,
Piotr
More information about the sudo-users
mailing list