15

In short: how to make sudo not to flush PATH everytime?

I have some websites deployed on my server (Debian testing) written with Ruby on Rails. I use Mongrel+Nginx to host them, but there is one problem that comes when I need to restart Mongrel (e.g. after making some changes).

All sites are checked in VCS (git, but it is not important) and have owner and group set to my user, whereas Mongrel runs under the, huh, mongrel user that is severely restricted in it's rights. So Mongrel must be started under root (it can automatically change UID) or mongrel.

To manage mongrel I use mongrel_cluster gem because it allows starting or stopping any amount of Mongrel servers with just one command. But it needs the directory /var/lib/gems/1.8/bin to be in PATH: this is not enough to start it with absolute path.

Modifying PATH in root .bashrc changed nothing, tweaking sudo's env_reset and env_keep didn't either.

So the question: how to add a directory to PATH or keep user's PATH in sudo?

Update: some examples

$ env | grep PATH
PATH=/usr/local/bin:/usr/bin:/bin:/usr/games:/var/lib/gems/1.8/bin
$ sudo cat /etc/sudoers | egrep -v '^$|^#'
Defaults    env_keep = "PATH"
root    ALL=(ALL) ALL
%sudo ALL=NOPASSWD: ALL
$ sudo env | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11R6/bin

Also I can say that it works exactly this way in Debian stable (lenny) too.

Catherine
  • 16,610

4 Answers4

13

Struggled with the same problem for a few hours. In debian lenny, you can fix it by adding 

Defaults        exempt_group=<your group>

to the sudoers file.

This is the only way to go around the compiled --secure-path option, (as far as I know).

Notably, this will also exempt users from needing to enter their password when they sudo.

jonnybot
  • 150
Rob
  • 146
4

If you have secure_path set in /etc/sudoers, you can play with env_reset / env_keep all you like and it won't make any difference to the path. If you see something like this, comment it out.

Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin
Draemon
  • 778
0

I'd say look into the env_reset and env_keep options in man sudo. But it sounds like you've already done that (you just mistakenly call env_keep "keepenv"). If you disable the env_reset option (default is enabled), I think it's not supposed to erase any env variables. But this is less secure.

There's also a secure_path option to sudo; I think this is enabled by default. You could try disabling it.

The preceding options are set in your /etc/sudoers file. There's also the -i command-line option to sudo. That will cause sudo to run /root/.profile or /root/.login. You could set your desired path there.

dubiousjim
  • 1,148
-1

Well, you're doing something wrong. Also, you didn't specify what you did with your /etc/sudoers file. Here's what you should've done -- this is a CentOS system, BTW:

First, this is with the right env_keep setting (notice PATH is in there):

sudo grep -5 PATH /etc/sudoers Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR \ LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \ LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \ LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \ LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \ _XKB_CHARSET XAUTHORITY PATH"

Defaults   timestamp_timeout = 15 

## Next comes the main part: which users can run what software on 
## which machines (the sudoers file can be shared between multiple

-> export PATH=$PATH:hithere
-> sudo sh -c 'echo $PATH'
/sbin:/bin:/usr/sbin:/usr/bin:/usr/kerberos/bin:/usr/local/bin:/bin:/usr/bin:/bin:hithere

Looks good. Now let's remove the env_keep setting and try again:

-> sudo visudo
-> sudo grep -5 PATH /etc/sudoers
                    LS_COLORS MAIL PS1 PS2 QTDIR USERNAME \
                    LANG LC_ADDRESS LC_CTYPE LC_COLLATE LC_IDENTIFICATION \
                    LC_MEASUREMENT LC_MESSAGES LC_MONETARY LC_NAME LC_NUMERIC \
                    LC_PAPER LC_TELEPHONE LC_TIME LC_ALL LANGUAGE LINGUAS \
                    _XKB_CHARSET XAUTHORITY"
 #_XKB_CHARSET XAUTHORITY PATH"

What a sad PATH:

 -> sudo sh -c 'echo $PATH'
 /usr/bin:/bin
Emmel
  • 351