Passing PATH through sudo
Solution 1
Struggled with the same problem for a few hours. In debian lenny, you can fix it by adding
Defaults exempt_group=<your group>
to the sudoers file.
This is the only way to go around the compiled --secure-path option, (as far as I know).
Notably, this will also exempt users from needing to enter their password when they sudo.
Solution 2
If you have secure_path
set in /etc/sudoers
, you can play with env_reset
/ env_keep
all you like and it won't make any difference to the path. If you see something like this, comment it out.
Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Related videos on Youtube
whitequark
Updated on September 17, 2022Comments
-
whitequark over 1 year
In short: how to make sudo not to flush PATH everytime?
I have some websites deployed on my server (Debian testing) written with Ruby on Rails. I use Mongrel+Nginx to host them, but there is one problem that comes when I need to restart Mongrel (e.g. after making some changes).
All sites are checked in VCS (git, but it is not important) and have owner and group set to my user, whereas Mongrel runs under the, huh, mongrel user that is severely restricted in it's rights. So Mongrel must be started under root (it can automatically change UID) or mongrel.
To manage mongrel I use mongrel_cluster gem because it allows starting or stopping any amount of Mongrel servers with just one command. But it needs the directory /var/lib/gems/1.8/bin to be in PATH: this is not enough to start it with absolute path.
Modifying PATH in root .bashrc changed nothing, tweaking sudo's env_reset and env_keep didn't either.
So the question: how to add a directory to PATH or keep user's PATH in sudo?
Update: some examples
$ env | grep PATH PATH=/usr/local/bin:/usr/bin:/bin:/usr/games:/var/lib/gems/1.8/bin $ sudo cat /etc/sudoers | egrep -v '^$|^#' Defaults env_keep = "PATH" root ALL=(ALL) ALL %sudo ALL=NOPASSWD: ALL $ sudo env | grep PATH PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin
Also I can say that it works exactly this way in Debian stable (lenny) too.
-
whitequark about 14 yearsNo, when env_reset is turned off it still changes (not erases) PATH. Probably this is done to add /*/sbin dirs. No, the -i option is not suitable because it starts an interactive shell, and I need only to run a command.
-
whitequark about 14 yearsOkay, the problem vanished after reinstalling Debian (because of migrating to LVM) and also RubyGems; your answer was the most useful of all so it can be accepted now.
-
whitequark almost 14 yearsNo, of course it wasn't set.