[sudo-users] Punching in a secure_path w/o Touching Global secure_path

Todd C. Miller Todd.Miller at sudo.ws
Wed Mar 14 06:25:52 MDT 2018


On Tue, 13 Mar 2018 20:39:06 -0000, "Jepeway, Chris" wrote:

> What I'd like to do is something like this, for various commands
> that get installed outside the normal places, in /opt, say:
>
> 	Cmnd_Alias      WHACK=/opt/whack/bin
> 	Defaults!WHACK  secure_path=/bin:/usr/bin:/opt/whack/bin

This is a chicken vs. egg kind of situation.  The per-command
Defaults are evaluated _after_ the command's full path has been
resolved.  Sudo won't find /opt/whack/bin without the secure_path
setting but the Defaults line that sets it  won't be evaluated until
after the command is found.

I think what you really need is the ability to append to secure_path
from an include file.  That way your per-package sudoers.d files
could add what is needed.  Unfortunately, that's not currently
possible.

 - todd


More information about the sudo-users mailing list