41

I'm running into the following error trying to allow some environment variables to pass through to the new environment when running sudo:

sudo: sorry, you are not allowed to preserve the environment

Some information that may be helpful to debug:

[deploy@worker1 ~]$ sudo -l
    Matching Defaults entries for deploy on this host:
    requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET
    XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+="GIT_WORK_TREE GIT_DIR", !requiretty

User deploy may run the following commands on this host:
    (ALL) NOPASSWD: /usr/bin/git, (ALL) /etc/init.d/httpd*, (ALL) /sbin/service, (ALL) /usr/bin/make, (ALL) /bin/echo

My running example:

[deploy@worker1 ~]$ export GIT_DIR="/home/ashinn/testing"
[deploy@worker1 ~]$ sudo -E sh -c 'echo "$GIT_DIR"'
sudo: sorry, you are not allowed to preserve the environment

My sudoers.d file for this specific configuration:

Defaults:deploy         env_keep += "GIT_WORK_TREE GIT_DIR", !requiretty
deploy  ALL=(ALL)       NOPASSWD: /usr/bin/git, /etc/init.d/httpd*, /sbin/service, /usr/bin/make, /bin/echo

I've also tried adding !env_reset to the Defaults and it still fails with the same error. I feel like I may be missing something obvious and need a second set of eyes. What am I missing here?

Andy Shinn
  • 533
  • 1
  • 4
  • 9
  • 2
    I believe that approximately 93% of us understand the point of your question, but your example command isn't very good.  `sudo ` *`(option(s)) `* `echo $GIT_DIR`, if it doesn't fail outright, will display the pre-`sudo` value of `$GIT_DIR`, because the shell expands the variable in the command line before `sudo` is even invoked.  Better tests are `sudo printenv GIT_DIR` or `sudo env | grep GIT_DIR` or `sudo sh -c 'echo "$GIT_DIR"'`, where we're actually looking at the environment of the process that's running privileged. – G-Man Says 'Reinstate Monica' Nov 21 '15 at 07:00
  • See also [this question on Stack Overflow](https://stackoverflow.com/questions/8633461/how-to-keep-environment-variables-when-using-sudo). – Franklin Yu Aug 16 '18 at 00:22

2 Answers2

64

You can use the SETENV "Tag" in your sudoers file, as in :

deploy  ALL=(ALL)       SETENV: /usr/bin/git, /etc/init.d/httpd*, /sbin/service, /usr/bin/make, /bin/echo

Or, to combine it with NOPASSWD:

deploy  ALL=(ALL)       NOPASSWD:SETENV: /usr/bin/git, /etc/init.d/httpd*, /sbin/service, /usr/bin/make, /bin/echo

Relevant excerpt from the sudoers man :

SETENV and NOSETENV

These tags override the value of the setenv option on a per-command basis. Note that if SETENV has been set for a command, the user may disable the env_reset option from the command line via the -E option. Additionally, environment variables set on the command line are not subject to the restrictions imposed by env_check, env_delete, or env_keep. As such, only trusted users should be allowed to set variables in this manner. If the command matched is ALL, the SETENV tag is implied for that command; this default may be overridden by use of the NOSETENV tag.

iodbh
  • 756
  • 6
  • 8
0

Don’t specify the -E option. Using -E you´re saying that all the environment variables for the user deploy should be preserved, not only GIT_DIR

Running sudo echo $GIT_DIR should work because you've added GIT_DIR to the env_keep list

Giacomo1968
  • 53,069
  • 19
  • 162
  • 212
Stian S
  • 109
  • 2