[sudo-users] Re: Question on passing ENV variables

Chris Jepeway jepeway at blasted-heath.com
Sun Feb 20 12:00:34 EST 2005 

Steve:

I haven't been a developer for sudo for...jeez...a decade now.
And I no longer maintain a great galumphing glob of Unix machines,
so the needs I have these days for sudo are simple enough that
I'm not familiar with "new" syntax in sudoers like env_delete.
I've therefore cc'ed your msg to the sudo-users mailing list,
where I'm sure somebody can help you out.

My ignorance of env_delete aside, I'm certain you can just
enable the running of wrapper script in sudoers that looks
like this:

	#!/bin/sh
	DB2LIB=/where/ever/the/db2/libs/are
	START_WEBSPHERE_CMD=/how/ever/you/start/websphere
	exec env LD_LIBRARY_PATH=$DB2LIB LIBPATH=$DB2LIB $START_WEBSPHERE

where the DB2LIB & START_WEBSPHERE vars are set appropriately.
This would work just fine if those vars have a static setting,
by which I mean the vars are the same for all users who need
to start WebSphere via sudo.

Chris <jepeway at blasted-heath.com>.


On Feb 19, 2005, at 10:15 PM, Steven Song wrote:

> Hi Chris.  I was wondering if you would answer about adding environment
> variables.    I know by default, the FAQ states that dangerous ENV
> variables when you run a command using sudo.  I need to add
> LD_LIBRARY_PATH and LIBPATH variables when I run my start WebSphere
> command.  WebSphere 5.x starts fine.  The issue is the DB2 connection 
> does
> not work from WebSphere because of these missing variables.  The 
> variables
> in my .profile for the user running the start command.
>
> From A. P. Lawrence sudo help site, he states that you can allow 
> variables
> by using "env_delete-=<env variable>" in the sudoers file.  Here is an
> excerpt:
>
> But we can add to the list of variables to discard:
> # sudoers file.
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> Defaults:jim    timestamp_timeout=-1, env_delete+="BOOP"
>
> Note the "+=" to ADD to the environment list. If we had just used "=",
> that would have replaced all of sudo's defaults. You can also use "-=" 
> to
> subtract a default variable and allow it to be passwd.
> Now "jim" won't get BOOP in his sudo environment.
> I tried adding this to my sudoers file. Unfortunately, I the LIBPATH 
> and
> LD_LIBRARY_PATH variables are still not showing up when I run "sudo
> /usr/bin/env".  Is there any way to allow these two variables pass 
> thru?
> Or does sudo just don't allow any of the "dangerous" variables to pass
> through.  I appreciate any help.
>
> # Defaults specification
> Defaults timestamp_timeout=0, env_delete-="LIBPATH", \
>         env_delete-="LD_LIBRARY_PATH"
> Defaults logfile=/var/log/sudolog
>
> Regards,
>
> Steve
>
> CCMS Development
> Phone: 919-486-8542 or TL: 8/526-8542
> email: ssong at us.ibm.com

More information about the sudo-users mailing list