Todd C. Miller
Todd.Miller at courtesan.com
Fri Jan 18 10:31:20 EST 2008
In message <2379dacc0801172038j15bce4fbv32e45f696d8a24e6 at mail.gmail.com>
so spake "Michael Potter" (pottmi):
> I am studying how sudo handles the environment and have a couple of
> question about env_keep. The man page says there are no default
> members to env_keep, but when I look at the source code I see an array
> called "initial_keepenv_table" that looks like a list of default
The initial_keepenv_table was introduced in sudo 1.6.9. Prior to
that it was not populated. The current sudoers manual page does
not contain that wording.
> Now to me it does not make sense to have a env_delete list and a
> env_keep list. What do you do with it to if it is not on either list:
> Dont keep it _AND_ Dont delete it? Anyway, there must be something I
> am missing because I am sure that these features made sense to someone
> otherwise they would not have been added.
What is confusing you is that there are two ways of dealing with
the environment in sudo.
The old world order, in sudo < 1.6.9, where the env_reset flag
defaults to false, was to preserve all environment variables that
did not match the env_delete or env_check lists. The env_keep list
has no effect when env_reset is false.
In the new world order, in sudo >= 1.6.9, the env_reset flag defaults
to true. In this case the env_keep and env_check lists are used
and env_delete has no effect.
There is wording to this effect in the "SECURITY NOTES" section
of the current sudo man page.
More information about the sudo-users