Bash – How to Keep All Environment Variables for Specific Command in sudo

bashenvironment-variablessudo

I have a script that sets several environment variables and then finally calls another script using sudo.

The script run with sudo must be able to pick up those variables, and I'm not always going to be certain what those variables are.

Is there a way of configuring this sudoers entry to allow the command complete access to the callers env vars?

%deploy ALL=NOPASSWD: /bin/build.sh

When I run the sudo command from my script:

sudo -E build.sh "$@"

I get:

sudo: sorry, you are not allowed to preserve the environment

Googling around I've only found ways to preserve specific variables and not just everything.

Best Answer

After testing the first answer and still getting sudo: sorry, you are not allowed to preserve the environment, I decided to look around for a better solution.

After a bit of testing, I found that the option that matters is setenv.

Defaults!/bin/build.sh setenv

To make it a little more secure, we can add a couple settings:

Defaults    secure_path="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/X11/bin"
Defaults!/bin/build.sh setenv,env_reset,env_delete+=PATH,env_delete+=LD_PRELOAD,env_delete+=LD_LIBRARY_PATH,env_delete+=SSH_AUTH_SOCK,env_delete+=PYTHONPATH,env_delete+=PERL5LIB
%deploy  ALL=(ALL) NOPASSWD: /bin/build.sh *

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

This looks like an intentional configuration in Arch Linux. See this for discussion with links to solutions.

The best tip there seems to be adding "DISPLAY XAUTHORITY" to to the "env_keep" defaults in /etc/sudoers.

Fedora has in /etc/sudoers the following and this allows sudo somexapp to succeed.

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Shell – How to set global environment variables at boot through a script, and have them available for an application that runs before login

You can try putting a script to gather the variables in /etc/profile.d/

Example:

/etc/profile.d/somescript.sh

#!/bin/bash
TEST=$(cat /var/somefile)
export $TEST

/etc/profile does a call that will run any script in /etc/profile.d/, and this applies to all users on the system including root.

Best Answer

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

Shell – How to set global environment variables at boot through a script, and have them available for an application that runs before login

Related Question