How do I make sudo preserve my environment variables?

environment-variables sudo redhat-enterprise-linux solaris-10

112,366

Solution 1

Use carefully, there are security issues with sudo and variables.

From man sudoers I found that you should use

Defaults        env_reset
Defaults        env_keep += "PYTHONPATH OTHERVARIABLE YETANOTHER"

In Ubuntu, sudo does preserves some variables. sudo -i is more like logging in as root and then running the command. Both may be inconvenient, the former for sudo nano myfile leaves root-owned files inside your home and the latter for sudo -i nano myfile will try to open /root/myfile.

Run

sudo printenv PATH

and see what it gives. Here it gives

/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

for example. Now run sudo visudo and add the line

Defaults        secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

replacing by what you found just before. Append a new path to it if you need.

About libraries:

sudo LD_LIBRARY_PATH=/usr/lib/path/to/a/safe/library your command

Linux distributions take a lot of care with PATH, and you really should be careful before playing with it. Be specially careful about adding paths like "." or /home/username, it is unsecure.

One of the dangers of adding paths is that it opens for the possibility of files on these paths getting executed by root, opening a windows in the system security that may be exploited by malicious software. There may be other dangers. Just make sure you know what you are doing. Bypassing sudo security measures may render your Solaris as safe as Windows XP.

Solution 2

Fiddling with sudoers is to be done with caution, as others have said.

A simpler approach for simpler cases when there are particular environment variables you want to preserve is to just pass the environment variable you want directly through sudo (this is shown as [VAR=value] in the sudo cmdline help).

See this small example where I have also demonstrated it for more than one variable.

$ export MY_V1=1
$ export MY_V2=2
$ printenv | grep MY_V
MY_V2=2
MY_V1=1
$ sudo MY_V1=$MY_V1 MY_V2=$MY_V2 printenv | grep MY_V
MY_V2=2
MY_V1=1

For the original PYTHONPATH example in the question, just use the following:

$ sudo PYTHONPATH=$PYTHONPATH python some_script.py
<script_output_here>

Creating an alias for this type of thing is handy. Like so:

$ alias sudopy='sudo PYTHONPATH=$PYTHONPATH python'

Solution 3

Your Defaults !env_reset looks OK, assuming you're not also calling sudo with the -E option.

You could try removing that entry completely.

Have you verified you're editing the correct sudoers file? I'm guessing it could be /etc/sudoers or /usr/local/etc/sudoers depending on how it was installed. Did you edit it using visudo?

How are you running sudo? sudo python, sudo su, sudo su -, sudo -s, something else? Only sudo python and sudo su would preserve your environment.

What does env | grep PYTHONPATH say? If nothing, make sure PYTHONPATH is exported by running export PYTHONPATH and try again.

What does sudo env | grep PYTHONPATH say? If it prints the expected value, then something else is overwriting your PYTHONPATH value. Maybe root's .bashrc or .bash_profile or the system-wide configuration files.

112,366

Mike Makuch

Updated on September 17, 2022

Comments

Mike Makuch over 1 year
Using sudo 1.7.4p4 on Solaris 5.10 and sudo 1.6.7p5 on RHEL4 u6 I can't see how to preserve my environment variables, for instance $PYTHONPATH. I've added this line to sudoers, but it doesn't make any difference:
```
Defaults !env_reset
```
Am I doing something wrong, or is the sudo installation simply not respecting the env_reset flag?

Edit: At least on Solaris, we've found that this issue depends on the shell! The standard root shell is Bourne, if we run bash under sudo (sudo bash) on the other hand, !env_preset will preserve the environment (including PATH and LD_LIBRARY_PATH). This is rather confusing behaviour I have to say.
- Ciro Santilli Путлер Капут 六四事 over 8 years
  
  stackoverflow.com/questions/8633461/…
- okapi over 2 years
  
  Just be careful as you can introduce security vulnerabilities where individual commands are permitted via sudoers. Preserving HOME for a Python executable or shell script for example.
Mike Makuch over 13 years

I am pretty sure I am editing the correct sudoers, with the installation prefix corresponding to sudo. I am running sudo as "sudo su". I'll have to get back to you, in a few days unfortunately, wrt to the rest of your suggestions. Thanks!
Nethan over 13 years

Try changing an unimportant setting like editor or passprompt to see if you have the correct file. Or use strace, dtrace, truss, or similar and see what files it opens.
Mike Makuch over 13 years

Thanks for the suggestion. On Solaris at least, it appears that env_keep works only in part though, as it ignores PATH and LD_LIBRARY_PATH. Maybe sudo is built with settings that makes it refuse to preserve "dangerous" variables?
Mike Makuch over 13 years

env | grep PYTHONPATH as my user prints the expected value, under sudo however, nothing is printed. Editing sudoers, I can ensure that PYTHONPATH is preserved by modifying "env_keep". However, env_keep will not preserve PATH or LD_LIBRARY_PATH. I guess sudo has a security restriction to not preserve variables like PATH and LD_LIBRARY_PATH? A build-time setting perhaps?
user39559 over 13 years

Did it work with another vairable, like AKNUDS? You can also run sudo sudo -V (yes, twice sudo!) and see what it says. Here the above solution works fine with PYTHONPATH, but PATH really seems special. The true problem is with PATH. In Ubuntu they build sudo deliberately reseting PATH.
Mike Makuch over 13 years

env_keep preserved PYTHONPATH and HOME for me, so there is clearly some filtering going on.
Mike Makuch over 13 years

In your revised solution, you're suggesting that I hard-wire the sudo PATH by modifying secure_path, right? I don't think I want to do that. We're probably close to an answer to my question though; I think sudo is built to ignore reset_env and to ignore variables such as PATH and LD_LIBRARY_PATH, when specified with env_keep. I think I can do without preserving PATH/LD_LIBRARY_PATH under sudo, it's no biggie, but it's still interesting to know why it won't work :)
Nethan over 13 years

If sudo was compiled with --with-secure-path, that would be modifying PATH, but the docs don't say it touches LD_LIBRARY_PATH.
Nethan over 13 years

What about env_delete? Also, man page says: Note that many operating systems will remove potentially dangerous variables from the environment of any setuid process (such as sudo).
Nethan over 13 years

Not sure why you have to modify env_keep to keep PYTHONPATH. If !env_reset is in effect and there are no env_delete entries, that should be sufficient AFAIUI.
Mike Makuch over 13 years

!env_reset is ignored as far as I can tell, but I can double-check tomorrow. I'm quite sure env_delete isn't being set, but I can check that too.
Mike Makuch over 13 years

I have confirmed that !env_reset is ignored and env_delete is not set.
user39559 over 13 years

It won't work because sudo writers were careful in preventing you from doing it. You don't want malicious library being loaded because they were found in the path used by sudo. So, that's why it's reset. If you are coding stuff that is meant to be run by root, copy them to the appropriate system directory.
user39559 over 13 years

Run sudo sudo -V | less and that will give you a lot of information, including whether PATH is overriden. You can test if it is really your PATH that is being passed to sudo bash but not to sudo bourne rather than something specified by bash itself. If you are really sure this is the case (which seems unlikely), than that's a serious bug of sudo that I really wouldn't understand. About your original question, the safe and correct way of doing it is placing your executables and libraries on standard system directories that are already reached by sudo, rather than changin PATH.
Mike Makuch over 13 years

Thanks for the suggestion, I'll try sudo -V when I'm back at work. Putting the executables/libraries in question on the standard path isn't always what you want to do though; in my case I wanted to install extensions to an isolated Python installation, to which only root had write access. I wouldn't want it to be the default Python for any sudo user in the system.
Mike Makuch over 13 years

sudo sudo -V on Solaris says that for instance PYTHONPATH is among "environment variables to remove". The installation must be configured to ignore that and certain other variables, even though env_reset is turned off.
ubershmekel almost 12 years

I think it would be a lot more useful to explain the dangers rather than plaster "be careful" warnings. Did you mean that by adding paths to sudo's environment, a bad-user may override system binaries by modifying the user-space path?
user39559 almost 12 years

It opens a big window. One of the possibilities is the one you mention. I can't pretend to make a full list.
kynan almost 11 years

@mcandre That's due to secure_path being active. sudo sudo -V lists that path, but still claims PATH is preserved (which I suppose is a bug).
Iain Samuel McLean Elder over 10 years

Solved my problem on Server Fault! Thanks.
DavidPostill almost 8 years

Nice, but the question is not about Ubuntu. Hint: Next time look at the tags under the question.
petertc over 7 years

the priority of secure_path is higher than keep_env, so simply add keep_env +="PATH" is not work.
Able Mac almost 5 years

might be good to make that -- alias sudopy='sudo PYTHONPATH=$PYTHONPATH python' -- then use it sudopy some_script.py
Curious almost 5 years

@AbleMac You are right. That was a mistake... I'll fix it. Thanks!