[sudo-users] SETENV

Eric Freeman eric.freeman at tbwachiat.com
Fri Mar 27 12:36:51 EDT 2009 

I added removed the SETENV line since it didn't appear to be working and
added the Defaults !env_reset line

Everything is working now.

Is there a better way to accomplish this without weakening the sudo
security?

Thanks

sudo -l
Matching Defaults entries for root on this host:
    log_year, logfile=/var/adm/syslog/sudo.log, !env_reset,
    logfile=/var/adm/syslog/sudo.log, log_year

Runas and Command-specific defaults for root:


User root may run the following commands on this host:
    (ALL) ALL
    (root) NOPASSWD: /usr/sbin/mount, (root) /usr/sbin/umount, (root)
    /usr/sbin/pfs_mount, (root) /usr/sbin/pfs_umount, (root) /usr/sbin/pfsd
    (root) (ALL) ALL



On 3/27/09 12:01 PM, "Todd C. Miller" <Todd.Miller at courtesan.com> wrote:

> In message <C5F26E19.3442A%eric.freeman at tbwachiat.com>
> so spake Eric Freeman (eric.freeman):
> 
>> Since upgrading to sudo-1.7.0 and turning on LDAP ( I don¹t think this point
>> is relevant since it is a local user) it appears the users environment
>> variables are not being honored.
>> 
>> I was reading the man pages and using google but I need some help. I am
>> running sudo-1.7.0 on HPUX 11.11
>> 
>> I modified the /etc/sudoers to look like:
>> 
>> ALL     ALL=(ALL) SETENV: ALL
>> 
>> However, this is not working.
>> 
>> When I run sudo -E I receive the following error:
>> 
>> sudo: sorry, you are not allowed to preserve the environment
>> 
>> I believe I need to change something in the above line in /etc/sudoers.
> 
> That line looks correct, perhaps there is another sudoers line
> that is overriding it.  What does the output of "sudo -l" show?
> 
> Note that you can change the environment handling to be more like
> versions of sudo prior to 1.6.9 with a line like:
> 
> Defaults !env_reset
> 
> in sudoers, though there are security consequences.  The "SECURITY
> NOTES" section of the manual talks a little bit about this.
> 
>  - todd



This e-mail is intended only for the named person or entity to which it is addressed and contains valuable 
business information that is proprietary, privileged, confidential and/or otherwise protected from disclosure.

If you received this e-mail in error, any review, use, dissemination, distribution or copying of this e-mail 
is strictly prohibited. Please notify us immediately of the error via e-mail to disclaimer at tbwachiat.com and 
please delete the e-mail from your system, retaining no copies in any media. We appreciate your cooperation.

More information about the sudo-users mailing list