[sudo-users] How to preserve functions in scripts for calling by sudo?

Todd C. Miller Todd.Miller at courtesan.com
Sat Jun 3 08:32:26 MDT 2017

On Fri, 02 Jun 2017 14:10:10 -0700, "L. A. Walsh" wrote:

> Why would sudo not allow functions to be kept via the env_keep
> list, when the user specifies that they don't want to env to be
> reset in the first place?

Because disabling env_reset doesn't mean that sudo doesn't modify
the environment.  It simply switches to the old method of using a
blacklist of "dangerous" environment variables instead of a whitelist
of variables to preserve.  Basically env_keep is only used when
env_reset is enabled.

However, if you truly want to preserve the environment as-is you
can do the following:

Defaults env_keep += "*"
Defaults env_keep += "*=()*"

This will preserve the environment, including bash functions as
long as env_reset is not disabled.  You need to be running sudo
1.8.11 or higher for this to work.

The reason for not preserving bash functions in the environment is
that it allows a user with sudo permissions to subvert any bash

Instead of having the functions inherited via the environment I'd
suggest you include them in the scripts where they are needed.
Alternately, you could push the use of sudo down to the actual
command where it is needed.  In other words, only use sudo for the
mv or rm commands in your example.

 - todd

More information about the sudo-users mailing list