[sudo-users] Re: Question on passing ENV variables
Chris Jepeway
jepeway at blasted-heath.com
Sun Feb 20 12:00:34 EST 2005
Steve:
I haven't been a developer for sudo for...jeez...a decade now.
And I no longer maintain a great galumphing glob of Unix machines,
so the needs I have these days for sudo are simple enough that
I'm not familiar with "new" syntax in sudoers like env_delete.
I've therefore cc'ed your msg to the sudo-users mailing list,
where I'm sure somebody can help you out.
My ignorance of env_delete aside, I'm certain you can just
enable the running of wrapper script in sudoers that looks
like this:
#!/bin/sh
DB2LIB=/where/ever/the/db2/libs/are
START_WEBSPHERE_CMD=/how/ever/you/start/websphere
exec env LD_LIBRARY_PATH=$DB2LIB LIBPATH=$DB2LIB $START_WEBSPHERE
where the DB2LIB & START_WEBSPHERE vars are set appropriately.
This would work just fine if those vars have a static setting,
by which I mean the vars are the same for all users who need
to start WebSphere via sudo.
Chris <jepeway at blasted-heath.com>.
On Feb 19, 2005, at 10:15 PM, Steven Song wrote:
> Hi Chris. I was wondering if you would answer about adding environment
> variables. I know by default, the FAQ states that dangerous ENV
> variables when you run a command using sudo. I need to add
> LD_LIBRARY_PATH and LIBPATH variables when I run my start WebSphere
> command. WebSphere 5.x starts fine. The issue is the DB2 connection
> does
> not work from WebSphere because of these missing variables. The
> variables
> in my .profile for the user running the start command.
>
> From A. P. Lawrence sudo help site, he states that you can allow
> variables
> by using "env_delete-=<env variable>" in the sudoers file. Here is an
> excerpt:
>
> But we can add to the list of variables to discard:
> # sudoers file.
> #
> # This file MUST be edited with the 'visudo' command as root.
> #
> Defaults:jim timestamp_timeout=-1, env_delete+="BOOP"
>
> Note the "+=" to ADD to the environment list. If we had just used "=",
> that would have replaced all of sudo's defaults. You can also use "-="
> to
> subtract a default variable and allow it to be passwd.
> Now "jim" won't get BOOP in his sudo environment.
> I tried adding this to my sudoers file. Unfortunately, I the LIBPATH
> and
> LD_LIBRARY_PATH variables are still not showing up when I run "sudo
> /usr/bin/env". Is there any way to allow these two variables pass
> thru?
> Or does sudo just don't allow any of the "dangerous" variables to pass
> through. I appreciate any help.
>
> # Defaults specification
> Defaults timestamp_timeout=0, env_delete-="LIBPATH", \
> env_delete-="LD_LIBRARY_PATH"
> Defaults logfile=/var/log/sudolog
>
> Regards,
>
> Steve
>
> CCMS Development
> Phone: 919-486-8542 or TL: 8/526-8542
> email: ssong at us.ibm.com
More information about the sudo-users
mailing list