I'm running sudo-1.8.6 on CentOS 6.5. My question is very simple: How do I prevent SHELL from propagating from a user's environment to a sudo environment?
Usually people are going the other way- they want to preserve an environment variable. However, I am having an issue where my user "zabbix" whose shell is /sbin/nologin
tries to run a command via sudo. Sudo is preserving the /sbin/nologin
so that root cannot run subshells.
I include a test that illustrates the problem; this is not my real-world use case but it simply illustrates that the calling user's SHELL is preserved. I have a program that runs as user zabbix
. It calls /usr/bin/sudo -u root /tmp/doit
(the programming running as zabbix
is a daemon, so the /sbin/nologin
shell in the password file does not prevent it). /tmp/doit
is a shell script that simply has:
#!/bin/sh
env > /tmp/outfile
In outfile
I can see that SHELL
is /sbin/nologin
. However, at this point the script is running as root, via sudo, so it should not have the previous user's environment variables, right?
Here is my /etc/sudoers:
Defaults requiretty Defaults !visiblepw Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin ## Allow root to run any commands anywhere root ALL=(ALL) ALL #includedir /etc/sudoers.d
And here is my /etc/sudoers.d/zabbix
:
Defaults:zabbix !requiretty zabbix ALL=(root) NOPASSWD: /tmp/doit