How do I make sudo preserve my environment variables?
Solution 1
Use carefully, there are security issues with sudo and variables.
From man sudoers
I found that you should use
Defaults env_reset Defaults env_keep += "PYTHONPATH OTHERVARIABLE YETANOTHER"
In Ubuntu, sudo
does preserves some variables. sudo -i
is more like logging in as root and then running the command.
Both may be inconvenient, the former for sudo nano myfile
leaves root-owned files inside your home and the latter for sudo -i nano myfile
will try to open /root/myfile.
Run
sudo printenv PATH
and see what it gives. Here it gives
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
for example. Now run sudo visudo
and add the line
Defaults secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
replacing by what you found just before. Append a new path to it if you need.
About libraries:
sudo LD_LIBRARY_PATH=/usr/lib/path/to/a/safe/library your command
Linux distributions take a lot of
care with PATH
, and you really should be careful before playing with it.
Be specially careful about adding paths like ".
" or /home/username
, it is unsecure.
One of the dangers of adding paths is that it opens for the possibility of files on these paths getting executed by root
, opening a windows in the system security that may be exploited by malicious software. There may be other dangers. Just make sure you know what you are doing. Bypassing sudo
security measures may render your Solaris as safe as Windows XP.
Solution 2
Fiddling with sudoers
is to be done with caution, as others have said.
A simpler approach for simpler cases when there are particular environment variables you want to preserve is to just pass the environment variable you want directly through sudo (this is shown as [VAR=value]
in the sudo cmdline help).
See this small example where I have also demonstrated it for more than one variable.
$ export MY_V1=1
$ export MY_V2=2
$ printenv | grep MY_V
MY_V2=2
MY_V1=1
$ sudo MY_V1=$MY_V1 MY_V2=$MY_V2 printenv | grep MY_V
MY_V2=2
MY_V1=1
For the original PYTHONPATH
example in the question, just use the following:
$ sudo PYTHONPATH=$PYTHONPATH python some_script.py
<script_output_here>
Creating an alias for this type of thing is handy. Like so:
$ alias sudopy='sudo PYTHONPATH=$PYTHONPATH python'
Solution 3
Your Defaults !env_reset
looks OK, assuming you're not also calling sudo with the -E
option.
You could try removing that entry completely.
Have you verified you're editing the correct sudoers file? I'm guessing it could be /etc/sudoers
or /usr/local/etc/sudoers
depending on how it was installed. Did you edit it using visudo
?
How are you running sudo? sudo python
, sudo su
, sudo su -
, sudo -s
, something else? Only sudo python
and sudo su
would preserve your environment.
What does env | grep PYTHONPATH
say? If nothing, make sure PYTHONPATH is exported by running export PYTHONPATH
and try again.
What does sudo env | grep PYTHONPATH
say? If it prints the expected value, then something else is overwriting your PYTHONPATH value. Maybe root's .bashrc or .bash_profile or the system-wide configuration files.
Related videos on Youtube
Mike Makuch
Updated on September 17, 2022Comments
-
Mike Makuch over 1 year
Using sudo 1.7.4p4 on Solaris 5.10 and sudo 1.6.7p5 on RHEL4 u6 I can't see how to preserve my environment variables, for instance $PYTHONPATH. I've added this line to sudoers, but it doesn't make any difference:
Defaults !env_reset
Am I doing something wrong, or is the sudo installation simply not respecting the env_reset flag?
Edit: At least on Solaris, we've found that this issue depends on the shell! The standard root shell is Bourne, if we run bash under sudo (
sudo bash
) on the other hand, !env_preset will preserve the environment (including PATH and LD_LIBRARY_PATH). This is rather confusing behaviour I have to say.-
Ciro Santilli Путлер Капут 六四事 over 8 years
-
okapi over 2 yearsJust be careful as you can introduce security vulnerabilities where individual commands are permitted via sudoers. Preserving HOME for a Python executable or shell script for example.
-
-
Mike Makuch over 13 yearsI am pretty sure I am editing the correct sudoers, with the installation prefix corresponding to sudo. I am running sudo as "sudo su". I'll have to get back to you, in a few days unfortunately, wrt to the rest of your suggestions. Thanks!
-
Nethan over 13 yearsTry changing an unimportant setting like
editor
orpassprompt
to see if you have the correct file. Or use strace, dtrace, truss, or similar and see what files it opens. -
Mike Makuch over 13 yearsThanks for the suggestion. On Solaris at least, it appears that env_keep works only in part though, as it ignores PATH and LD_LIBRARY_PATH. Maybe sudo is built with settings that makes it refuse to preserve "dangerous" variables?
-
Mike Makuch over 13 yearsenv | grep PYTHONPATH as my user prints the expected value, under sudo however, nothing is printed. Editing sudoers, I can ensure that PYTHONPATH is preserved by modifying "env_keep". However, env_keep will not preserve PATH or LD_LIBRARY_PATH. I guess sudo has a security restriction to not preserve variables like PATH and LD_LIBRARY_PATH? A build-time setting perhaps?
-
user39559 over 13 yearsDid it work with another vairable, like AKNUDS? You can also run sudo sudo -V (yes, twice sudo!) and see what it says. Here the above solution works fine with PYTHONPATH, but PATH really seems special. The true problem is with PATH. In Ubuntu they build sudo deliberately reseting PATH.
-
Mike Makuch over 13 yearsenv_keep preserved PYTHONPATH and HOME for me, so there is clearly some filtering going on.
-
Mike Makuch over 13 yearsIn your revised solution, you're suggesting that I hard-wire the sudo PATH by modifying secure_path, right? I don't think I want to do that. We're probably close to an answer to my question though; I think sudo is built to ignore reset_env and to ignore variables such as PATH and LD_LIBRARY_PATH, when specified with env_keep. I think I can do without preserving PATH/LD_LIBRARY_PATH under sudo, it's no biggie, but it's still interesting to know why it won't work :)
-
Nethan over 13 yearsIf sudo was compiled with --with-secure-path, that would be modifying PATH, but the docs don't say it touches LD_LIBRARY_PATH.
-
Nethan over 13 yearsWhat about env_delete? Also, man page says: Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as sudo).
-
Nethan over 13 yearsNot sure why you have to modify env_keep to keep PYTHONPATH. If !env_reset is in effect and there are no env_delete entries, that should be sufficient AFAIUI.
-
Mike Makuch over 13 years!env_reset is ignored as far as I can tell, but I can double-check tomorrow. I'm quite sure env_delete isn't being set, but I can check that too.
-
Mike Makuch over 13 yearsI have confirmed that !env_reset is ignored and env_delete is not set.
-
user39559 over 13 yearsIt won't work because
sudo
writers were careful in preventing you from doing it. You don't want malicious library being loaded because they were found in the path used by sudo. So, that's why it's reset. If you are coding stuff that is meant to be run by root, copy them to the appropriate system directory. -
user39559 over 13 yearsRun
sudo sudo -V | less
and that will give you a lot of information, including whetherPATH
is overriden. You can test if it is really yourPATH
that is being passed tosudo bash
but not tosudo bourne
rather than something specified by bash itself. If you are really sure this is the case (which seems unlikely), than that's a serious bug ofsudo
that I really wouldn't understand. About your original question, the safe and correct way of doing it is placing your executables and libraries on standard system directories that are already reached bysudo
, rather than changinPATH
. -
Mike Makuch over 13 yearsThanks for the suggestion, I'll try sudo -V when I'm back at work. Putting the executables/libraries in question on the standard path isn't always what you want to do though; in my case I wanted to install extensions to an isolated Python installation, to which only root had write access. I wouldn't want it to be the default Python for any sudo user in the system.
-
Mike Makuch over 13 yearssudo sudo -V on Solaris says that for instance PYTHONPATH is among "environment variables to remove". The installation must be configured to ignore that and certain other variables, even though env_reset is turned off.
-
ubershmekel almost 12 yearsI think it would be a lot more useful to explain the dangers rather than plaster "be careful" warnings. Did you mean that by adding paths to sudo's environment, a bad-user may override system binaries by modifying the user-space path?
-
user39559 almost 12 yearsIt opens a big window. One of the possibilities is the one you mention. I can't pretend to make a full list.
-
kynan almost 11 years@mcandre That's due to
secure_path
being active.sudo sudo -V
lists that path, but still claimsPATH
is preserved (which I suppose is a bug). -
Iain Samuel McLean Elder over 10 yearsSolved my problem on Server Fault! Thanks.
-
DavidPostill almost 8 yearsNice, but the question is not about Ubuntu. Hint: Next time look at the tags under the question.
-
petertc over 7 yearsthe priority of secure_path is higher than keep_env, so simply add keep_env +="PATH" is not work.
-
Able Mac almost 5 yearsmight be good to make that -- alias sudopy='sudo PYTHONPATH=$PYTHONPATH python' -- then use it sudopy some_script.py
-
Curious almost 5 years@AbleMac You are right. That was a mistake... I'll fix it. Thanks!