2

So, this is something I can't wrap my head around. I know how to configure sudo to keep all envs intact, I'm now baffled what causes the different behaviour on Ubuntu vs. Debian.

So in Debian I have the sudoers configured with

~# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Allow members of group sudo to execute any command
%sudo    ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

I set some variables at /etc/environment, re-login and test:

~# sudo sh -c 'echo $FOO'

The environment is not there, as it shouldn't (AFAIK at least) as the sudoers is configured to reset the env.

Doing the same stuff on Ubuntu:

~# cat /etc/sudoers
#
# This file MUST be edited with the 'visudo' command as root.
#
# Please consider adding local content in /etc/sudoers.d/ instead of
# directly modifying this file.
#
# See the man page for details on how to write a sudoers file.
#
Defaults    env_reset
Defaults    mail_badpass
Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin"

# Host alias specification

# User alias specification

# Cmnd alias specification

# User privilege specification
root    ALL=(ALL:ALL) ALL

# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL

# Allow members of group sudo to execute any command
%sudo   ALL=(ALL:ALL) ALL

# See sudoers(5) for more information on "#include" directives:

#includedir /etc/sudoers.d

Note: It has the same env_reset set. But:

~# sudo sh -c 'echo $FOO'
bar

So the question that baffles me is: Why this works on Ubuntu even when the env_reset is set and neither my Ubuntu or Debian config has any env_keep set?

Numppa
  • 23
  • 2

1 Answers1

0

man 5 sudoers says:

By default, the env_reset option is enabled. This causes commands to be executed with a new, minimal environment. On AIX (and Linux systems without PAM), the environment is initialized with the contents of the /etc/environment file.

So PAM is important. Let's check /etc/pam.d/sudo on both systems. This line is there on Ubuntu but not on Debian:

session    required   pam_env.so readenv=1 user_readenv=0

Then this is what man 8 pam_env says:

This module can also parse a file with simple KEY=VAL pairs on separate lines (/etc/environment by default). You can change the default file to parse, with the envfile flag and turn it on or off by setting the readenv flag to 1 or 0 respectively.

It looks like readenv=1 in this very line is responsible for parsing /etc/environment when sudo runs. Indeed, setting this to 0 (or commenting the entire line out) makes sudo sh -c 'echo $FOO' in my Ubuntu behave like in Debian.

Kamil Maciorowski
  • 69,815
  • 22
  • 136
  • 202
  • Absolutely correct. I wasn't thinking about PAMs involvement in the env part at all. The explanation you provided is spot on, thanks for that. – Numppa Jun 09 '19 at 13:04