Sudo: allow one command to set one environment variable

environment-variablessudo

On my Debian Stretch system, I have

Defaults        env_reset

in my /etc/sudoers. I want to set up my system so that when running sshuttle, I don't have to enter my password for the call

sudo PYTHONPATH=/usr/lib/python3/dist-packages -- /usr/bin/python3 \
                                                  /usr/bin/sshuttle --method auto --firewall

So I created a file /etc/sudoers.d/sshuttle with the contents

username    ALL=NOPASSWD: /usr/bin/python3 /usr/bin/sshuttle --method auto --firewall

However, I get the error message

sudo: sorry, you are not allowed to set the following environment variables: PYTHONPATH

The optimal solution

should allow me to run exactly this one command with setting the PYTHONPATH, but would not affect the security of my sudo setup in, general, i.e., this restriction should still apply for the other entries in my sudoers files.
would not require me to change the sshuttle source code, i.e., it should work for the exact command specified above without modification.

What I tried so far:

modify the /etc/sudoers.d/sshuttle file to read username ALL=NOPASSWD: PYTHONPATH=/usr/lib/python3/dist-packages /usr/bin/python3 /usr/bin/sshuttle --method auto --firewall, but this seems not to be valid syntax

Notes:

I do not want to run the whole sshuttle command via sudo, as a) sshuttle doesn't need root rights except for the firewall part (the command this question about), and b) because then I always need to enter the passphrase for my SSH key (which is usually unlocked via gpg-agent for my own user, but not for the root user).

Best Answer

If the PYTHONPATH you need is constant, you can use /usr/bin/env (most underrated unix tool ever...):

username    ALL=NOPASSWD: /usr/bin/env PYTHONPATH=/usr/lib/python3/dist-packages /usr/bin/python3 /usr/bin/sshuttle --method auto --firewall

Or write a short wrapper script that sets up the environment before execing the python script.

If the PYTHONPATH is not constant, you might just as well use username ALL=NOPASSWD: ALL, since the user could override any python package that is used by sshuttle and put code doing anything imaginable in there.

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

This looks like an intentional configuration in Arch Linux. See this for discussion with links to solutions.

The best tip there seems to be adding "DISPLAY XAUTHORITY" to to the "env_keep" defaults in /etc/sudoers.

Fedora has in /etc/sudoers the following and this allows sudo somexapp to succeed.

Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"

Bash – How to prevent the caller’s shell from being used in sudo

Then answer is that sudo has a bug. First, the workaround: I put this in my /etc/sudoers.d/zabbix file:

zabbix    ALL=(root) NOPASSWD:       /bin/env SHELL=/bin/sh /usr/local/bin/zabbix_raid_discovery

and now subcommands called from zabbix_raid_discovery work.

A patch to fix this will be in sudo 1.8.15. From the maintainer, Todd Miller:

This is just a case of "it's always been like that".  There's not
really a good reason for it.  The diff below should make the behavior
match the documentation.

 - todd

diff -r adb927ad5e86 plugins/sudoers/env.c
--- a/plugins/sudoers/env.c     Tue Oct 06 09:33:27 2015 -0600
+++ b/plugins/sudoers/env.c     Tue Oct 06 10:04:03 2015 -0600
@@ -939,8 +939,6 @@
            CHECK_SETENV2("USERNAME", runas_pw->pw_name,
                ISSET(didvar, DID_USERNAME), true);
        } else {
-           if (!ISSET(didvar, DID_SHELL))
-               CHECK_SETENV2("SHELL", sudo_user.pw->pw_shell, false, true);
            /* We will set LOGNAME later in the def_set_logname case. */
            if (!def_set_logname) {
                if (!ISSET(didvar, DID_LOGNAME))
@@ -984,6 +982,8 @@
            if (!env_should_delete(*ep)) {
                if (strncmp(*ep, "SUDO_PS1=", 9) == 0)
                    ps1 = *ep + 5;
+               else if (strncmp(*ep, "SHELL=", 6) == 0)
+                   SET(didvar, DID_SHELL);
                else if (strncmp(*ep, "PATH=", 5) == 0)
                    SET(didvar, DID_PATH);
                else if (strncmp(*ep, "TERM=", 5) == 0)
@@ -1039,7 +1039,9 @@
     if (reset_home)
        CHECK_SETENV2("HOME", runas_pw->pw_dir, true, true);

-    /* Provide default values for $TERM and $PATH if they are not set. */
+    /* Provide default values for $SHELL, $TERM and $PATH if not set. */
+    if (!ISSET(didvar, DID_SHELL))
+       CHECK_SETENV2("SHELL", runas_pw->pw_shell, false, false);
     if (!ISSET(didvar, DID_TERM))
        CHECK_PUTENV("TERM=unknown", false, false);
     if (!ISSET(didvar, DID_PATH))

Best Answer

Related Solutions

KDE – Using Sudo on GUI Applications in Arch Linux

Bash – How to prevent the caller’s shell from being used in sudo

Related Question