On my Debian Stretch system, I have
Defaults env_reset
in my /etc/sudoers
. I want to set up my system so that when running sshuttle, I don't have to enter my password for the call
sudo PYTHONPATH=/usr/lib/python3/dist-packages -- /usr/bin/python3 \
/usr/bin/sshuttle --method auto --firewall
So I created a file /etc/sudoers.d/sshuttle
with the contents
username ALL=NOPASSWD: /usr/bin/python3 /usr/bin/sshuttle --method auto --firewall
However, I get the error message
sudo: sorry, you are not allowed to set the following environment variables: PYTHONPATH
The optimal solution
- should allow me to run exactly this one command with setting the
PYTHONPATH
, but would not affect the security of my sudo setup in, general, i.e., this restriction should still apply for the other entries in mysudoers
files. - would not require me to change the sshuttle source code, i.e., it should work for the exact command specified above without modification.
What I tried so far:
- modify the
/etc/sudoers.d/sshuttle
file to readusername ALL=NOPASSWD: PYTHONPATH=/usr/lib/python3/dist-packages /usr/bin/python3 /usr/bin/sshuttle --method auto --firewall
, but this seems not to be valid syntax
Notes:
- I do not want to run the whole sshuttle command via sudo, as a) sshuttle doesn't need root rights except for the firewall part (the command this question about), and b) because then I always need to enter the passphrase for my SSH key (which is usually unlocked via gpg-agent for my own user, but not for the root user).
Best Answer
If the PYTHONPATH you need is constant, you can use
/usr/bin/env
(most underrated unix tool ever...):Or write a short wrapper script that sets up the environment before
exec
ing the python script.If the PYTHONPATH is not constant, you might just as well use
username ALL=NOPASSWD: ALL
, since the user could override any python package that is used by sshuttle and put code doing anything imaginable in there.