I'm running into the following error trying to allow some environment variables to pass through to the new environment when running sudo:
sudo: sorry, you are not allowed to preserve the environmentSome information that may be helpful to debug:
[deploy@worker1 ~]$ sudo -l Matching Defaults entries for deploy on this host: requiretty, !visiblepw, always_set_home, env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS", env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE", env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES", env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE", env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY", secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin, env_keep+="GIT_WORK_TREE GIT_DIR", !requiretty
User deploy may run the following commands on this host: (ALL) NOPASSWD: /usr/bin/git, (ALL) /etc/init.d/httpd*, (ALL) /sbin/service, (ALL) /usr/bin/make, (ALL) /bin/echoMy running example:
[deploy@worker1 ~]$ export GIT_DIR="/home/ashinn/testing"
[deploy@worker1 ~]$ sudo -E sh -c 'echo "$GIT_DIR"'
sudo: sorry, you are not allowed to preserve the environmentMy sudoers.d file for this specific configuration:
Defaults:deploy env_keep += "GIT_WORK_TREE GIT_DIR", !requiretty
deploy ALL=(ALL) NOPASSWD: /usr/bin/git, /etc/init.d/httpd*, /sbin/service, /usr/bin/make, /bin/echoI've also tried adding !env_reset to the Defaults and it still fails with the same error. I feel like I may be missing something obvious and need a second set of eyes. What am I missing here?
2 Answers
You can use the SETENV "Tag" in your sudoers file, as in :
deploy ALL=(ALL) SETENV: /usr/bin/git, /etc/init.d/httpd*, /sbin/service, /usr/bin/make, /bin/echoOr, to combine it with NOPASSWD:
deploy ALL=(ALL) NOPASSWD:SETENV: /usr/bin/git, /etc/init.d/httpd*, /sbin/service, /usr/bin/make, /bin/echoRelevant excerpt from the sudoers man :
1SETENV and NOSETENV
These tags override the value of the setenv option on a per-command basis. Note that if SETENV has been set for a command, the user may disable the env_reset option from the command line via the -E option. Additionally, environment variables set on the command line are not subject to the restrictions imposed by
env_check,env_delete, orenv_keep. As such, only trusted users should be allowed to set variables in this manner. If the command matched is ALL, the SETENV tag is implied for that command; this default may be overridden by use of the NOSETENV tag.
Don’t specify the -E option. Using -E you´re saying that all the environment variables for the user deploy should be preserved, not only GIT_DIR
Running sudo echo $GIT_DIR should work because you've added GIT_DIR to the env_keep list
