[Nix-dev] Sudoers
Roger Qiu
roger.qiu at matrix.ai
Thu Sep 15 11:31:12 CEST 2016
Hi,
I was going through the sudoers configuration and checking how it works.
I noticed that unlike many other distributions sudo propagates many
environment variables that would be cleared:
```
echo "$LD_LIBRARY_PATH" && sudo sh -c 'echo $LD_LIBRARY_PATH'
echo "$PATH" && sudo sh -c 'echo $PATH'
echo "$XAUTHORITY" && sudo sh -c 'echo $XAUTHORITY'
echo "$DISPLAY" && sudo sh -c 'echo $DISPLAY'
```
Only `HOME` is set to `/root` as it should be.
Looking at the sudoers file we see:
```
# Don't edit this file. Set the NixOS options 'security.sudo.configFile'
# or 'security.sudo.extraConfig' instead.
# Environment variables to keep for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFO
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK
# "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL
# Users in the "wheel" group can do anything.
%wheel ALL=(ALL:ALL) SETENV: ALL
```
Which is the default sudoers file currently on master.
The sudoers documentation says that `env_reset` is enabled by default,
which be dropping most environment variables. But it isn't specified
inside the sudoers file.
What was the reasoning for _not_ resetting most environment variables,
and what is the point of specifying `env_keep` if the `TERMINFO_DIRS`
and `TERMINFO` wouldn't be reset anyway?
Thanks,
Roger
--
Founder of Matrix AI
https://matrix.ai/
+61420925975
More information about the nix-dev
mailing list