I'm running sudo-1.8.6 on CentOS 6.5. My question is very simple: How do I prevent SHELL from propagating from a user's environment to a sudo environment? Usually people are going the other way- they want to preserve an environment variable. However, I am having an issue where my user "zabbix" whose shell is `/sbin/nologin` tries to run a command via sudo. Sudo is preserving the `/sbin/nologin` so that root cannot run subshells. I include a test that illustrates the problem; this is not my real-world use case but it simply illustrates that the calling user's SHELL is preserved. I have a program that runs as user `zabbix`. It calls `/usr/bin/sudo -u root /tmp/doit` (the programming running as `zabbix` is a daemon, so the `/sbin/nologin` shell in the password file does not prevent it). `/tmp/doit` is a shell script that simply has: #!/bin/sh env > /tmp/outfile (its mode is 755, obviously). In `outfile` I can see that `SHELL` is `/sbin/nologin`. However, at this point the script is running as root, via sudo, so it should not have the previous user's environment variables, right? Here is my /etc/sudoers: <pre> Defaults requiretty Defaults !visiblepw Defaults always_set_home Defaults env_reset Defaults env_keep = "COLORS DISPLAY HOSTNAME HISTSIZE INPUTRC KDEDIR LS_COLORS" Defaults env_keep += "MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE" Defaults env_keep += "LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES" Defaults env_keep += "LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE" Defaults env_keep += "LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY" Defaults secure_path = /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin ## Allow root to run any commands anywhere root ALL=(ALL) ALL #includedir /etc/sudoers.d </pre> And here is my `/etc/sudoers.d/zabbix`: <pre> Defaults:zabbix !requiretty zabbix ALL=(root) NOPASSWD: /tmp/doit </pre> Edit: A little more information: The process running the sudo is `zabbix_agentd`, from the Zabbix monitoring software. There is an entry in the `/etc/zabbix/zabbix_agentd.d/userparameter_disk.conf` file which looks like: <pre> UserParameter=example.disk.discovery,/usr/local/bin/zabbix_raid_discovery </pre> `/usr/local/bin/zabbix_raid_discovery` is a Python script. I have modified it to simply do this: <pre> print subprocess.check_output(['/usr/bin/sudo', '-u', 'root', '/tmp/doit']) </pre> `/tmp/doit` simply does this: <pre> #!/bin/sh env >> /tmp/outfile </pre> I run the following on my Zabbix server to run the `/usr/local/bin/zabbix_raid_discovery` script: <pre> zabbix_get -s client_hostname -k 'example.disk.discovery' </pre> Then I check the `/tmp/outfile`, and I see: <pre> SHELL=/sbin/nologin TERM=linux USER=root SUDO_USER=zabbix SUDO_UID=497 USERNAME=root PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/bin:/usr/local/sbin MAIL=/var/mail/root PWD=/ LANG=en_US.UTF-8 SHLVL=1 SUDO_COMMAND=/tmp/doit HOME=/root LOGNAME=root SUDO_GID=497 _=/bin/env </pre> That `SHELL` line really bugs me. The file is owned by root, so I know it's being created by the root user, but the shell is from the calling user (`zabbix`).