I was going through the sudoers configuration and checking how it works.

I noticed that unlike many other distributions sudo propagates many environment variables that would be cleared:


echo "$LD_LIBRARY_PATH" && sudo sh -c 'echo $LD_LIBRARY_PATH'

echo "$PATH" && sudo sh -c 'echo $PATH'

echo "$XAUTHORITY" && sudo sh -c 'echo $XAUTHORITY'

echo "$DISPLAY" && sudo sh -c 'echo $DISPLAY'


Only `HOME` is set to `/root` as it should be.

Looking at the sudoers file we see:


# Don't edit this file. Set the NixOS options 'security.sudo.configFile'
# or 'security.sudo.extraConfig' instead.

# Environment variables to keep for root and %wheel.
Defaults:root,%wheel env_keep+=TERMINFO_DIRS
Defaults:root,%wheel env_keep+=TERMINFO

# Keep SSH_AUTH_SOCK so that pam_ssh_agent_auth.so can do its magic.
Defaults env_keep+=SSH_AUTH_SOCK

# "root" is allowed to do anything.
root        ALL=(ALL:ALL) SETENV: ALL

# Users in the "wheel" group can do anything.
%wheel      ALL=(ALL:ALL) SETENV: ALL


Which is the default sudoers file currently on master.

The sudoers documentation says that `env_reset` is enabled by default, which be dropping most environment variables. But it isn't specified inside the sudoers file.

What was the reasoning for _not_ resetting most environment variables, and what is the point of specifying `env_keep` if the `TERMINFO_DIRS` and `TERMINFO` wouldn't be reset anyway?



Founder of Matrix AI

nix-dev mailing list

Reply via email to