[sudo-users] Fc9 sudo 1.6.9p13 - env_reset and PATH env var
stevetucknott at yahoo.co.uk
Sat Nov 22 04:46:28 EST 2008
Apologies for chasing this, but I have tried various forums and got no
reply and I need to get sudo working as it was.
I can see that I can build sudo from source, but I need to know whether
the problem I'm getting is simply fixable via the sudoers settings or if
it is a bug in the FC9 version (I say that because if what I'm
experiencing is a bug, then compiling from source will have no effect).
Does anyone have any ideas how I can keep PATH and stop it from being
On Thu, 2008-11-20 at 12:50 +0000, Steve T wrote:
> I have been using sudo on FC from fc4 onwards.
> In FC9 the behaviour seems slightly different in as much that it now
> appears that env_reset is the default. That is fine in itself (it took a
> while to realise that you had to use !env_reset to turn this flag off) -
> but even with !env_reset in the sudoers file, the PATH is still being
> reset to ''presumably' a secure path. I've tried adding PATH to env_keep
> as well, but that had no effect, and trying to unset !secure_path causes
> an error in visudo. How can I keep the users PATH intact?
> I searched for env_reset in the archives and couldn't see anything
> relevant, but looking through the November threads I did see:
> sudo can't find an executable in my $PATH!
> That entry seemed to be caused by a compile time setting of secure_path
> - but I looked at the sudo -V output for me and cant see that that is
> the case here.
> The sudo -V output is:
> Sudo version 1.6.9p13
> Sudoers path: /etc/sudoers
> Authentication methods: 'pam'
> Syslog facility if syslog is being used for logging: authpriv
> Syslog priority to use when user authenticates successfully: notice
> Syslog priority to use when user authenticates unsuccessfully: alert
> Ignore '.' in $PATH
> Send mail if the user is not in sudoers
> Use a separate timestamp for each user/tty combo
> Lecture user the first time they run sudo
> Require users to authenticate by default
> Root may run sudo
> Allow some information gathering to give useful error messages
> Visudo will honor the EDITOR environment variable
> Set the LOGNAME and USER environment variables
> Length at which to wrap log file lines (0 for no wrap): 80
> Authentication timestamp timeout: 5 minutes
> Password prompt timeout: 5 minutes
> Number of tries to enter a password: 3
> Umask to use or 0777 to use user's: 022
> Address to send mail to: root
> Subject line for mail messages: *** SECURITY information for %h ***
> Incorrect password message: Sorry, try again.
> Path to authentication timestamp dir: /var/run/sudo
> Default password prompt: [sudo] password for %p:
> Default user to run commands as: root
> Path to the editor for use by visudo: /bin/vi
> When to require a password for 'list' pseudocommand: any
> When to require a password for 'verify' pseudocommand: all
> File containing dummy exec functions: /usr/libexec/sudo_noexec.so
> Reset the environment to a default set of variables
> Environment variables to check for sanity:
> Environment variables to remove:
> Environment variables to preserve:
> ....so PATH appears to be in the list to be preserved, but gets reset.
> The sudoers file is:
> ## Sudoers allows particular users to run various commands as
> ## the root user, without needing the root password.
> ## Examples are provided at the bottom of the file for collections
> ## of related commands, which can then be delegated out to particular
> ## users or groups.
> ## This file must be edited with the 'visudo' command.
> ## Host Aliases
> ## Groups of machines. You may prefer to use hostnames (perhaps using
> ## wildcards for entire domains) or IP addresses instead.
> # Host_Alias FILESERVERS = fs1, fs2
> # Host_Alias MAILSERVERS = smtp, smtp2
> ## User Aliases
> ## These aren't often necessary, as you can use regular groups
> ## (ie, from files, LDAP, NIS, etc) in this file - just use %groupname
> ## rather than USERALIAS
> # User_Alias ADMINS = jsmith, mikem
> ## Command Aliases
> ## These are groups of related commands...
> ## Networking
> NETWORKING= /sbin/route, /sbin/ifconfig, /bin/ping, /sbin/dhclient, /usr/bin/net, /sbin/iptables, /usr/bin/rfcomm, /usr/bin/wvdial, /sbin/iwconfig, /sbin/mii-tool
> ## Installation and management of software
> Cmnd_Alias SOFTWARE = /bin/rpm, /usr/bin/up2date, /usr/bin/yum
> ## Services
> Cmnd_Alias SERVICES = /sbin/service, /sbin/chkconfig
> ## Updating the locate database
> Cmnd_Alias LOCATE = /usr/sbin/updatedb
> ## Storage
> Cmnd_Alias STORAGE
> = /sbin/fdisk, /sbin/sfdisk, /sbin/parted, /sbin/partprobe, /bin/mount, /bin/umount
> ## Delegating permissions
> Cmnd_Alias DELEGATING
> = /usr/sbin/visudo, /bin/chown, /bin/chmod, /bin/chgrp
> ## Processes
> Cmnd_Alias PROCESSES
> = /bin/nice, /bin/kill, /usr/bin/kill, /usr/bin/killall
> ## Drivers
> Cmnd_Alias DRIVERS = /sbin/modprobe
> # Defaults specification
> # Disable "ssh hostname sudo <cmd>", because it will show the password
> in clear.
> # You have to run "ssh -t hostname sudo <cmd>".
> Defaults requiretty
> #Defaults env_reset
> Defaults !env_reset
> #Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC
> KDEDIR LS_COLORS"
> #Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS
> #Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT
> #Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER
> #Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
> Defaults env_keep += "PATH"
> ## Next comes the main part: which users can run what software on
> ## which machines (the sudoers file can be shared between multiple
> ## systems).
> ## Syntax:
> ## user MACHINE=COMMANDS
> ## The COMMANDS section may have other options added to it.
> ## Allow root to run any commands anywhere
> root ALL=(ALL) ALL
> ## Allows members of the 'sys' group to run networking, software,
> ## service management apps and more.
> # %sys ALL = NETWORKING, SOFTWARE, SERVICES, STORAGE, DELEGATING,
> PROCESSES, LOCATE, DRIVERS
> ## Allows people in group wheel to run all commands
> # %wheel ALL=(ALL) ALL
> ## Same thing without a password
> # %wheel ALL=(ALL) NOPASSWD: ALL
> ## Allows members of the users group to mount and unmount the
> ## cdrom as root
> # %users ALL=/sbin/mount /mnt/cdrom, /sbin/umount /mnt/cdrom
> ## Allows members of the users group to shutdown this system
> # %users localhost=/sbin/shutdown -h now
> stevet ALL=(ALL) ALL
> sudo-users mailing list <sudo-users at sudo.ws>
> For list information, options, or to unsubscribe, visit:
More information about the sudo-users