[sudo-users] env_reset ignored under sudoers plugin?

Mon Oct 3 07:54:04 MDT 2016

Hi,

I'm working on privileges, and hit up against a situation I don't think should be happening.
We have a centralised sudo config provided by plugin, and I'm trying to lock a user down from changing the environment in it - however I cannot find a setup that disallows -E.  In a non-centralised setup I can do this fine with env_reset, but it seems to be ignored in the centralised setup.

$ sudo -l
Matching Defaults entries for testusr on this host:
    log_input, log_output, env_reset, always_set_home

Runas and Command-specific defaults for testusr:
    Defaults>imsadm targetpw
    Defaults>imsroot targetpw

User testusr may run the following commands on this host:
    (root) NOPASSWD: /sbin/arping
$

When I run sudo as testusr under this config with -E, I get:

$ sudo -E /sbin/arping -V
arping utility, iputils-sss20071127
$

I've tried a number configurations, none of them will restrict -E.  I can get sudo producing identical output for -l on a standalone host, and it behaves as expected:

$ sudo -E /sbin/arping
sudo: sorry, you are not allowed to preserve the environment
$

Anyone know what I'm doing wrong?  I'm at a loss.

This e-mail and any attachments are confidential, intended only for the addressee and may be privileged. If you have received this e-mail in error, please notify the sender immediately and delete it. Any content that does not relate to the business of Worldpay is personal to the sender and not authorised or endorsed by Worldpay. Worldpay does not accept responsibility for viruses or any loss or damage arising from transmission or access.

Worldpay (UK) Limited (Company No: 07316500/ Financial Conduct Authority No: 530923), Worldpay Limited (Company No:03424752 / Financial Conduct Authority No: 504504), Worldpay AP Limited (Company No: 05593466 / Financial Conduct Authority No: 502597). Registered Office: The Walbrook Building, 25 Walbrook, London EC4N 8AF and authorised by the Financial Conduct Authority under the Payment Service Regulations 2009 for the provision of payment services. Worldpay (UK) Limited is authorised and regulated by the Financial Conduct Authority for consumer credit activities. Worldpay B.V. (WPBV) has its registered office in Amsterdam, the Netherlands (Handelsregister KvK no. 60494344). WPBV holds a licence from and is included in the register kept by De Nederlandsche Bank, which registration can be consulted through www.dnb.nl. Worldpay, the logo and any associated brand names are trade marks of the Worldpay group.