I'm running sudo-1.8.6 on CentOS 6.5. My question is very simple: How do I prevent SHELL from propagating from a user's environment to a sudo environment?

Usually people are going the other way- they want to preserve an environment variable. However, I am having an issue where my user "zabbix" whose shell is `/sbin/nologin` tries to run a command via sudo. Sudo is preserving the `/sbin/nologin` so that root cannot run subshells.

I include a test that illustrates the problem; this is not my real-world use case but it simply illustrates that the calling user's SHELL is preserved. I have a program that runs as user `zabbix`. It calls `/usr/bin/sudo -u root /tmp/doit` (the programming running as `zabbix` is a daemon, so the `/sbin/nologin` shell in the password file does not prevent it). `/tmp/doit` is a shell script that simply has:

    #!/bin/sh
    env > /tmp/outfile

In `outfile` I can see that `SHELL` is `/sbin/nologin`. However, at this point the script is running as root, via sudo, so it should not have the previous user's environment variables, right?

Here is my /etc/sudoers:
<pre>
Defaults    requiretty
Defaults   !visiblepw

Defaults    always_set_home
Defaults    env_reset
Defaults    env_keep =  "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS"
Defaults    env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE"
Defaults    env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES"
Defaults    env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE"
Defaults    env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY"
Defaults    secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin

## Allow root to run any commands anywhere 
root    ALL=(ALL)       ALL

#includedir /etc/sudoers.d
</pre>
And here is my `/etc/sudoers.d/zabbix`:
<pre>
Defaults:zabbix !requiretty

zabbix    ALL=(root) NOPASSWD:       /tmp/doit
</pre>