[sudo-users] environment

Todd C. Miller Todd.Miller at courtesan.com
Fri Jan 18 10:31:20 EST 2008

In message <2379dacc0801172038j15bce4fbv32e45f696d8a24e6 at mail.gmail.com>
	so spake "Michael Potter" (pottmi):

> I am studying how sudo handles the environment and have a couple of
> question about env_keep.  The man page says there are no default
> members to env_keep, but when I look at the source code I see an array
> called "initial_keepenv_table" that looks like a list of default
> members.

The initial_keepenv_table was introduced in sudo 1.6.9.  Prior to
that it was not populated.  The current sudoers manual page does
not contain that wording.

> Now to me it does not make sense to have a env_delete list and a
> env_keep list.  What do you do with it to if it is not on either list:
> Dont keep it _AND_ Dont delete it?  Anyway, there must be something I
> am missing because I am sure that these features made sense to someone
> otherwise they would not have been added.

What is confusing you is that there are two ways of dealing with
the environment in sudo.

The old world order, in sudo < 1.6.9, where the env_reset flag
defaults to false, was to preserve all environment variables that
did not match the env_delete or env_check lists.  The env_keep list
has no effect when env_reset is false.

In the new world order, in sudo >= 1.6.9, the env_reset flag defaults
to true.  In this case the env_keep and env_check lists are used
and env_delete has no effect.

There is wording to this effect in the "SECURITY NOTES" section
of the current sudo man page.

 - todd

More information about the sudo-users mailing list