I was going through the sudoers configuration and checking how it works.
I noticed that unlike many other distributions sudo propagates many
environment variables that would be cleared:
echo "$LD_LIBRARY_PATH" && sudo sh -c 'echo $LD_LIBRARY_PATH'
echo "$PATH" && sudo sh -c 'echo $PATH'
echo "$XAUTHORITY" && sudo sh -c 'echo $XAUTHORITY'
echo "$DISPLAY" && sudo sh -c 'echo $DISPLAY'
Only `HOME` is set to `/root` as it should be.
Looking at the sudoers file we see:
# Don't edit this file. Set the NixOS options 'security.sudo.configFile'
# or 'security.sudo.extraConfig' instead.
# Environment variables to keep for root and %wheel.
# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
# "root" is allowed to do anything.
root ALL=(ALL:ALL) SETENV: ALL
# Users in the "wheel" group can do anything.
%wheel ALL=(ALL:ALL) SETENV: ALL
Which is the default sudoers file currently on master.
The sudoers documentation says that `env_reset` is enabled by default,
which be dropping most environment variables. But it isn't specified
inside the sudoers file.
What was the reasoning for _not_ resetting most environment variables,
and what is the point of specifying `env_keep` if the `TERMINFO_DIRS`
and `TERMINFO` wouldn't be reset anyway?
Founder of Matrix AI
nix-dev mailing list